eternal-todo.com blogshttp://eternal-todo.com/blog
enDridex spam campaign using PDF as infection vectorhttp://eternal-todo.com/blog/dridex-spam-campaign-pdf-docm-infection-vector
<style type="text/css">p { margin-bottom: 0.21cm; }a:link { }</style><p style="margin-bottom: 0cm" class="rtejustify">During this month a <a href="https://twitter.com/peepdf/status/851563007914250240">Dridex spam campaign using PDF documents</a> as infection vector was spotted. I also received a couple of e-mails in my personal inbox attaching the mentioned PDF files. One of them was using the typical &ldquo;scanned data&rdquo; theme (subject was <i>&ldquo;Scan data&rdquo;</i> and sender <i>&ldquo;scanner at eternal-todo.com&rdquo;</i>) and the other one was related to a confirmation letter (subject was <i>&ldquo;uk_confirmation_ph764968900.pdf&rdquo;</i> and the sender <i>&ldquo;info at calmbeginnings.co.uk&rdquo;</i>). None of them was really good in social engineering, just adding some words and the attachment.</p>
<p style="margin-bottom: 0cm" class="rtejustify">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a href="/eternal_files/uploads/pdf_docm_dridex_spam_scan_data.png" target="_blank"><img src="/eternal_files/uploads/pdf_docm_dridex_spam_scan_data_0.png" alt="Dridex Spam Campaign PDF DOCM Scan Data" border="0" height="286" width="500" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a href="/eternal_files/uploads/pdf_docm_dridex_spam_confirmation.png" target="_blank"><img src="/eternal_files/uploads/pdf_docm_dridex_spam_confirmation_0.png" alt="Dridex Spam Campaign PDF DOCM Confirmation Letter" border="0" height="270" width="500" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtejustify">Both PDF documents, named <i>&ldquo;Scan_62229.pdf&rdquo;</i> (<a href="https://www.virustotal.com/es/file/4637f33e25203729709d11dba6ecf79c084b92a7da28c1c48c78f30370820f7d/analysis/">81fa2eb97128b6d711158f37698e044f</a>) and <i>&ldquo;</i><i>uk_confirmation_ph764968900.pdf&rdquo;</i> (<a href="https://www.virustotal.com/es/file/05d144e3473c264646ad5e2fe587fd8e8efa57451dc32c5fcf86a444d38f1c39/analysis/">85066792c8952100ac057055a2f49a8c</a>), had a docm file embedded and they were using Javascript code to save and execute the attachment. As you can see in the following image, the <a href="http://help.adobe.com/en_US/acrobat/acrobat_dc_sdk/2015/HTMLHelp/index.html#t=Acro12_MasterBook%2FJS_API_AcroJS%2FDoc_methods.htm%23TOC_exportDataObjectbc-31&amp;rhtocid=_6_1_8_23_1_30">exportDataObject</a> function was used using <i>nLaunch=2</i>, which will save the attachment AND open it afterwards without prompting the user for a path. If the argument <i>nLaunch</i> is not present will just save the document on disk, without opening it. Using <a href="https://github.com/jesparza/peepdf">peepdf</a>'s output is quite easy to locate the interesting objects (<em>object 11</em> for the Javascript code and <em>object 3</em> for the embbedded document).</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a href="/eternal_files/uploads/pdf_docm_dridex_peepdf_output.png" target="_blank"><img src="/eternal_files/uploads/pdf_docm_dridex_peepdf_output_0.png" alt="Dridex Spam Campaign PDF DOCM peepdf info" border="0" height="591" width="500" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">Extracting the docm file with <a href="https://eternal-todo.com/tools/peepdf-pdf-analysis-tool">peepdf</a> is as easy as using the <a href="https://github.com/jesparza/peepdf/wiki/Commands"><em><strong>&ldquo;stream&rdquo;</strong></em></a> command together with the &ldquo;greater than&rdquo; sign to save it on disk. Then we can check <a href="https://www.virustotal.com/">VirusTotal</a> with the <em><strong>&ldquo;vtcheck&rdquo;</strong></em> command to see if it is detected as malicious or not.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a href="/eternal_files/uploads/pdf_docm_dridex_peepdf_extract_file.png" target="_blank"><img src="/eternal_files/uploads/pdf_docm_dridex_peepdf_extract_file_0.png" alt="Dridex Spam Campaign PDF DOCM peepdf extract file" border="0" height="291" width="500" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rteleft">The two docm files extracted from the PDF document, named <i>&ldquo;ScanData049124.docm&rdquo;</i> (<a href="https://www.virustotal.com/es/file/75728a667dd40d0af0e6b61502d238c3c30e14fe6a738b15455b2dc4fad5ccb5/analysis/">44edff8fa67eb916fda880de42dad708</a>) and <i>&ldquo;20170401907863.docm&rdquo;</i> (<a href="https://www.virustotal.com/es/file/a3d9c11b01aabe9b1c182d438cdf33c4ef4e22a61703d605ada8a6bae0ff9ee4/analysis/">60db2cd260a77934c70c924166cabc5a</a>), are Word documents containing macros. This is the typical infection vector used by the cybercriminals nowadays so I will not go into details here. You can use <a href="https://blog.didierstevens.com/programs/oledump-py/">oledump</a> and other tools to extract and analyze the macros.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">In this case, the macros were downloading an XORed executable from different URLs, decoding it and executing it to infect the machine. The dropped malware (<a href="https://www.virustotal.com/es/file/1072e9f512abaafc1f510b31bcf56fd668f9f7cf558984052720aa85d311bca7/analysis/">f1fd0a8e9443710df0859109588eb5fa</a> and <a href="https://www.virustotal.com/es/file/6739c782d114307deaac42120a7061f51f9e74a86f1e60664997a269784143f2/analysis/">117da8ef79cb0d96c1c803709bd4827f</a>) was Dridex and, more specifically, these were binaries belonging to the botnet 7200. These are the URLs used to download the binaries (some of them still active):</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<pre><span style="font-size: x-small;">mentalmysteries[.]com/kjv783r<br />semfamily[.]com/kjv783r<br />perisoft[.]org/kjv783r<br />centralsecuritybureau[.]com/874hv<br />tserv[.]su/874hv<br />kapil[.]50webs[.]com/874hv</span></pre><p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">Normally, there is no useful metadata in malicious PDF files, but in this case using the <strong>&quot;metadata&quot;</strong> command we can see some information. Apparently, the attackers were using <a href="https://github.com/itext">iText</a> to create the PDF files and they were created in a country where the time difference is UTC+3. Of course, this information can be faked, but in this case I would say it is accurate ;)&nbsp; <br />
&nbsp;</p>
<pre><span style="font-size: x-small;">&lt;&lt; /Producer iTextSharp? 5.5.10 ?2000-2016 iText Group NV (AGPL-version)<br />/CreationDate D:20170410150016+03'00'<br />/ModDate D:20170410150016+03'00' &gt;&gt;</span></pre><p style="margin-bottom: 0cm">&nbsp;</p>
<pre><span style="font-size: x-small;">&lt;&lt; /Producer iTextSharp? 5.5.10 ?2000-2016 iText Group NV (AGPL-version)<br />/CreationDate D:20170411122518+03'00'<br />/ModDate D:20170411122518+03'00' &gt;&gt;</span></pre><p style="margin-bottom: 0cm">&nbsp;<br />
In the same way that cybercriminals moved back to use documents with macros to spread malware again, we have seen that they have not forgotten the PDF files as infection vector. PDF documents are still harmless files for lots of users and even if they see warning windows appearing they still click on them and get infected. Luckily, analysts can still use <a href="https://eternal-todo.com/category/peepdf">peepdf</a> to have a good time playing with these malicious documents ;) Happy hunting!<br />
&nbsp;</p>
http://eternal-todo.com/blog/dridex-spam-campaign-pdf-docm-infection-vector#commentsAnalysisBotnetsDridexJavascriptMacrosMalwarePDFpeepdfSun, 23 Apr 2017 23:24:17 +0000jesparza132 at http://eternal-todo.comAdding a scoring system in peepdfhttp://eternal-todo.com/blog/adding-scoring-system-peepdf-pdf-analysis
<p>Just before the summer <a href="http://eternal-todo.com/blog/peepdf-gsoc-github-blackhat-arsenal">I&nbsp;announced</a> that the student <a href="https://github.com/rohit-dua">Rohit Dua</a> would dedicate his time to improve <a href="http://eternal-todo.com/tools/peepdf-pdf-analysis-tool">peepdf</a> and add a scoring system to the output. This was possible thanks to Google and his <a href="https://www.google-melange.com/gsoc/project/details/google/gsoc2015/rohitdua/5738600293466112">Google Summer of Code (GSoC)</a> program, where I&nbsp;presented several projects as a member of <a href="http://twitter.com/ProjectHoneynet">The Honeynet Project</a>. A beta version was presented during <a href="https://www.blackhat.com/docs/eu-15/materials/eu-15-Esparza-peepdf.pdf">Black Hat Europe Arsenal 2015</a> last November, where I introduced the new functionalities. </p>
<p>The scoring system has the goal of giving valuable advice about the maliciousness of the PDF file that&rsquo;s being analyzed. The first step to accomplish this task is identifying the elements which permit to distinguish if a PDF file is malicious or not, like Javascript code, lonely objects, huge gaps between objects, detected vulnerabilities, etc. The next step is calculating a score out of these elements and test it with a large collection of malicious and not malicious PDF files in order to tweak it.</p>
<p>The scoring is based on different indicators like:</p>
<ul>
<li>Number of pages</li>
<li>Number of stream filters</li>
<li>Broken/Missing cross reference table</li>
<li>Obfuscated elements: names, strings, Javascript code.</li>
<li>Malformed elements: garbage bytes, missing tags&hellip;</li>
<li>Encryption with default password</li>
<li>Suspicious elements: Javascript, event triggers, actions, known vulns&hellip;</li>
<li>Big streams and strings</li>
<li>Objects not referenced from the Catalog</li>
</ul>
<p>
Here&rsquo;s a screenshot of the scoring system in action:<br />
&nbsp;</p>
<div class="rtecenter"><a href="/eternal_files/uploads/peepdf_pdf_analysis_malicious_score.png" target="_blank"><img border="0" width="450" height="377" src="/eternal_files/uploads/peepdf_pdf_analysis_malicious_score_0.png" alt="Peepdf PDF Analysis Tool Scoring system" /></a></div>
<p>&nbsp;<br />
Besides that, a new command was created to show the individual score assigned to the different indicators and give more details about how the global score was calculated. This command is called &ldquo;score&rdquo; and this is an example of its output:<br />
&nbsp;</p>
<div class="rtecenter"><a><img border="0" width="350" height="250" src="/eternal_files/uploads/peepdf_pdf_analysis_score_command_0.png" alt="Peepdf PDF Analysis Tool Score command" /></a><a href="/eternal_files/uploads/peepdf_pdf_analysis_score_command.png" target="_blank"><br />
</a>&nbsp;</div>
<p>You can try the scoring system checking out the <a href="https://github.com/jesparza/peepdf/tree/gsoc"><em>gsoc</em> branch on Github</a>. Some more tests are needed to include it in the <em>master</em> branch, but as soon as I have some free time it will be included for sure. In the next <a href="https://twitter.com/peepdf">peepdf</a> release the scoring system will be there, but also some other nice features like being able to <a href="https://twitter.com/peepdf/status/702239374872813569">extract all the Javascript code from the document at the same time or extracting all the URIs present in the document</a>.<br />
&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/peepdf_pdf_analysis_extarct_command.png"><img border="0" width="450" height="387" alt="Peepdf PDF Analysis Tool Extract command" src="/eternal_files/uploads/peepdf_pdf_analysis_extarct_command_0.png" /></a></div>
<p>&nbsp; <br />
This summer <a href="https://github.com/jesparza/peepdf">peepdf</a> will not be an option in the Google Summer of Code, but there will be really interesting projects if you want to contribute. If you are looking for an interesting summer, <a href="http://honeynet.org/gsoc/ideas">take a look at the projects</a> proposed by my <a href="http://honeynet.org/">Honeynet</a> colleagues, you will not regret it! And stay tuned because the next <strong>peepdf</strong> release will arrive in a few months :)</p>
http://eternal-todo.com/blog/adding-scoring-system-peepdf-pdf-analysis#commentsAnalysisGSoCPDFpeepdfToolsSun, 28 Feb 2016 19:13:14 +0000jesparza131 at http://eternal-todo.comTravelling to the far side of Andromeda at Botconf 2015http://eternal-todo.com/blog/travelling-far-side-andromeda-botconf
<p>It has been a while since I&nbsp;wrote the last time here and since <a href="https://www.botconf.eu/2015/travelling-to-the-far-side-of-andromeda-2/">I&nbsp;presented at Botconf</a>, but I&nbsp;wanted to share my slides here too. A couple of weks after the <a href="https://en.wikipedia.org/wiki/November_2015_Paris_attacks">sad terrorist attacks in Paris</a>, <a href="https://twitter.com/botconf">Botconf</a> was held in the city of love. Way more secure than before and with lots of security controls which almost made me lose my return train, but it was worth it. Attending a security conference focused on cybercrime, malware, reverse engineering and intelligence is always a good plan :) I really recommend you attending <a href="https://twitter.com/Botconf/status/672801529284444160">Botconf this year in Lyon</a>, you will not regret it ;)</p>
<p>My presentation was about Andromeda. This is the abstract:<br />
&nbsp;<br />
<blockquote> Andromeda, also known as Gamarue by some Antivirus vendors, is a popular and modular bot active since 2011. It is normally used to spread additional malware, but sometimes, depending on the criminals, the main objective could be just stealing user credentials. After almost five years of life its development has not stopped. The people behind it keep maintaining it and adding functionalities, like new anti-analysis routines, changes in the communication encryption, new request formats, etc.<br />
&nbsp; <br />
This talk will not give just details about the latest changes in the Andromeda binary and control panel, but it will also respond some interesting questions about this botnet. Which are the most popular versions used nowadays? Are most of the botnets spreading malware or just using its plugins? What are the most popular plugins? How and where is Andromeda sold? Who is selling it? What criminal groups are using Andromeda? It is not just a talk about malware reversing but about the whole Andromeda ecosystem.</blockquote></p>
<p>&nbsp;</p>
<div class="rtejustify">Since the first time I&nbsp;analyzed Andromeda <a href="http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis">back in 2013</a> I&nbsp;have been taking a look at the new versions. Last year I&nbsp;published another blog post to give some <a href="http://eternal-todo.com/blog/andromeda-gamarue-loves-json">details about the new JSON version</a> and since then I&nbsp;have been tracking some Andromeda botnets at work, together with my <a href="https://www.fox-it.com/intell/">Fox-IT InTELL</a> colleagues. Thanks to this work we were able to spot some interesting botnets like the botnet used by the <a href="https://www.fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf">Anunak group</a> or the botnet used by Smilex (<a href="http://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled">Dridex operator arrested last year in Cyprus</a>) to distribute his spam bot. Besides that, I was showing some statistics about the botnets we saw, interesting spread plugins like the spammer (Jahoo/Otlard) <a href="http://malware.dontneedcoffee.com/2015/11/inside-jahoo-otlarda-botnet-dedicated.html">mentioned by Kafeine some days before my presentation</a>, some funny comments about the anti-analysis techniques used by Andromeda and some details about the actors behind Andromeda. Unfortunately, some of this information was just shared at Botconf and it is not for public distribution.</div>
<p>
This is the public version of my slides (you can <a href="http://eternal-todo.com/files/presentations/Travelling%20to%20the%20far%20side%20of%20Andromeda%20-%20Botconf%202015.pdf">download them here</a> and also <a href="https://www.botconf.eu/wp-content/uploads/2015/12/OK-P07-Jose-Esparza-Travelling-to-the-far-side-of-Andromeda-2.pdf">from the Botconf site</a>):<br />
&nbsp;</p>
<div class="rtecenter"><iframe width="500" height="400" frameborder="0" allowfullscreen="" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" scrolling="no" marginheight="0" marginwidth="0" src="//www.slideshare.net/slideshow/embed_code/key/k9x09yO8APjX9K"> </iframe>
<div style="margin-bottom:5px"><strong> <a target="_blank" title="Travelling to the far side of Andromeda" href="//www.slideshare.net/eternaltodo/travelling-to-the-far-side-of-andromeda">Travelling to the far side of Andromeda</a> </strong> from <strong><a target="_blank" href="//www.slideshare.net/eternaltodo">Jose Miguel Esparza</a></strong></div>
<div class="rteleft">&nbsp; <br />
Taking a look at the slides is not so exciting as attending the presentation, hehe, but I&nbsp;think it is enough to have a good idea about the subject and the things I&nbsp;discussed there. If you have any question or comment, be free, shoot! Also via email is ok if you are shy ;) And remember: Botconf, Lyon, 29th of November ;) See you there!</div>
</div>
http://eternal-todo.com/blog/travelling-far-side-andromeda-botconf#commentsActorsAndromedaBotconfBotnetsConferencesIntelligenceMalwareReversingSun, 07 Feb 2016 21:09:54 +0000jesparza130 at http://eternal-todo.comBlack Hat Arsenal peepdf challenge solutionhttp://eternal-todo.com/blog/peepdf-blackhat-arsenal-pdf-challenge-solution
<style type="text/css">p { margin-bottom: 0.21cm; }a:link { }</style><p style="margin-bottom: 0cm">One week before <a href="https://www.blackhat.com/us-15/arsenal.html#jose-miguel-esparza">my demo at the Black Hat Arsenal</a> I released a <a href="http://eternal-todo.com/blog/peepdf-blackhat-arsenal-pdf-challenge"><i>peepdf</i> challenge</a>. The idea was solving the challenge using just <a href="http://peepdf.eternal-todo.com/"><i>peepdf</i></a>, of course ;) This post will tell you how to solve the challenge so if you want to try by yourself (you should!) <strong>STOP READING HERE!</strong> The PDF file can be downloaded from <a href="http://eternal-todo.com/files/pdf/peepdf_challenge_blackhat.pdf">here</a> and it is not harmful. No shellcodes, no exploits, no kitten killed. In summary, you can open it with no fear, but do it with a version of Adobe Reader prior to XI ;)</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">Let's start! :) This is what you see with the last version of <a href="https://github.com/jesparza/peepdf"><i>peepdf</i></a>:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_init.png"><img border="0" width="450" height="378" alt="Peepdf Black Hat Arsenal Challenge" src="/eternal_files/uploads/peepdf_challenge_blackhat_init_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">In a quick look you can spot some Javascript code located in object 13 and also an embedded file in the same object. Checking the references to this object and some info about it we see that it is an embedded PDF file:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_embeded.png"><img border="0" width="450" height="303" alt="Peepdf Black Hat Arsenal Challenge Embedded" src="/eternal_files/uploads/peepdf_challenge_blackhat_embeded_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">We can easily extract the new PDF file using the following command:<br />
&nbsp;</p>
<pre><span style="color: rgb(0, 255, 0);"><span style="font-size: smaller;">PPDF&gt;</span></span><span style="font-size: smaller;"> stream 13 &gt; peepdf.pdf</span></pre><p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">If you open this PDF file with the correct versions you will see a popup asking for a &ldquo;magic code&rdquo;:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_popup.png"><img border="0" width="450" height="302" alt="Peepdf Black Hat Arsenal Challenge Popup" src="/eternal_files/uploads/peepdf_challenge_blackhat_popup_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">It would be nice if we could find references to &ldquo;magic&rdquo; or &ldquo;code&rdquo; within the document, but using the search command gives no results (that would be too easy :p). At this point I have to tell you that analyzing the process memory to see if you are lucky is cheating!! This challenge is just about static analysis ;)</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">This is what you should see after opening this new PDF document with <a href="https://twitter.com/peepdf"><i>peepdf</i></a>:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_newpdf.png"><img border="0" width="450" height="278" alt="Peepdf Black Hat Arsenal Challenge Newpdf" src="/eternal_files/uploads/peepdf_challenge_blackhat_newpdf_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">I you open this with an older version you will probably see some errors related to objects 6 and 8. These objects use the /DCTDecode filter which was not supported in previous versions (and it is now). After taking a quick look at the extracted document we can see that it is encrypted using RC4. We can also see two triggers (/AA and /Names) and there are four objects containing Javascript code but six including the /JS name, which can suggest that there are really six objects containing Javascript code. That's easy to check, just exploring those objects:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_js.png"><img border="0" width="450" height="410" alt="Peepdf Black Hat Arsenal Challenge Javascript" src="/eternal_files/uploads/peepdf_challenge_blackhat_js_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">This document has just one page and its properties are described in object 3. There you can see the /AA element triggering some Javascript code located in object 5. This code checks the Adobe Reader version and if it is the correct one executes the function &ldquo;<i>peepdf&rdquo;</i> using as argument the value returned from function &ldquo;<i>r&rdquo;</i>. At the same time, this function &ldquo;<i>r&rdquo;</i> takes two arguments, &ldquo;<i>a&rdquo;</i> and the returned value from function &ldquo;<i>x.d</i>&rdquo; using &ldquo;<i>this.info.author&rdquo;</i> as argument. Clear, right? ;)</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<pre><span style="font-size: smaller;">var version = app.viewerVersion.toString().split(&quot;.&quot;)[0];<br />if (version &gt; 10){<br /> app.alert({cTitle:&quot;Peepdf Challenge&quot;,cMsg:&quot;You should try with an older version of Adobe Reader ;)&quot;});<br /> this.closeDoc(true); } else{<br /> peepdf(r(a,x.d(this.info.author)));<br />}</span></pre><p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">At this point I would try to search for the functions &ldquo;<i>peepdf</i>&rdquo;, &ldquo;<i>r</i>&rdquo; and &ldquo;<i>x.d</i>&rdquo;. Searching for &ldquo;<i>r</i>&rdquo; is useless, too generic. Searching for &ldquo;<i>x.d</i>&rdquo; gives no results (except object 5). But searching for &ldquo;<i>peepdf</i>&rdquo; returns 5 objects, being object 8 one of them. That is an interesting object...</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_eval.png"><img border="0" width="450" height="277" alt="Peepdf Black Hat Arsenal Challenge Eval" src="/eternal_files/uploads/peepdf_challenge_blackhat_eval_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">This object is a JPEG image hiding the text &ldquo;<em>peepdf=eval;//PADDINGGGG</em>&rdquo; inside. This text can be executed as Javascript as D&eacute;nes &Oacute;v&aacute;ri explained in his <a href="https://www.virusbtn.com/virusbulletin/archive/2015/03/vb201503-lossy">Virus Bulletin blog post</a>, so the &ldquo;<i>peepdf</i>&rdquo; function is just the &ldquo;<i>eval</i>&rdquo; function. It is important to mention that this object will only appear if you analyze the document with the last version of <i>peepdf</i> which supports the <span style="font-style: normal">/DCTDecode</span> filter:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_balckhat_tweet.png"><img border="0" width="350" height="153" alt="Peepdf Black Hat Arsenal Challenge Tweet" src="/eternal_files/uploads/peepdf_challenge_balckhat_tweet_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">Ok, so the next step is exploring the different objects containing Javascript code and see if we can find the missing functions there:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<ul>
<li>
<p style="margin-bottom: 0cm">Object 6 is another JPEG image hiding the variable &ldquo;a&rdquo;</p>
<ul>
<li>
<p style="margin-bottom: 0cm">var a=&quot;QkhQMzNwZGY=&quot;;</p>
</li>
</ul>
</li>
<li>
<p style="margin-bottom: 0cm">Object 19 contains an XOR function where the first argument is the key and the second one is the data to encode/decode.</p>
</li>
<li>
<p style="margin-bottom: 0cm">Object 24 contains different functions and a comment mentioning Paul Johnston and this <a href="http://pajhome.org.uk/site/legal.html"><strong>license page</strong></a>. Digging a bit more it is easy to see that the code is derived from the <em>RSA Data Security, Inc. MD5 Message-Digest Algorithm</em>. Yes, just MD5!</p>
</li>
</ul>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_jscode.png"><img border="0" width="450" height="366" alt="Peepdf Black Hat Arsenal Challenge Javascript" src="/eternal_files/uploads/peepdf_challenge_blackhat_jscode_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">Object 16 deserves its own paragraph. The &ldquo;<i><span style="font-weight: normal">getAnnots</span></i>&rdquo; function had some security issues in 2009 (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1492">CVE-2009-1492</a>) but in this case it is not trying to exploit anything but just getting the annotations found in the page 0 of the document. Then, it will extract the subject content from one of the annotations, using the number of pages as the array index (<i><span style="font-weight: normal">an[this.numPages].subject</span></i>). In this case there is one page, so it will retrieve the content of the second annotation (index one is the second array element). If you check again the screenshot showing object 3 you will see that the first annotation is object 20 and the second annotation is object 21, so this code will store in the variable &ldquo;s&rdquo; the subject of object 21.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_subject.png"><img border="0" width="450" height="368" alt="Peepdf Blackhat Arsenal Challenge Subject" src="/eternal_files/uploads/peepdf_challenge_blackhat_subject_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">The next thing this code does is splitting the subject content using &ldquo;<i><span style="font-weight: normal">x1</span></i>&rdquo; to cut it and then convert the resultant hexadecimal array to text and execute it using the function &ldquo;<i><span style="font-weight: normal">peepdf</span></i>&rdquo; again. You can easily do this in the <i><span style="font-weight: normal">peepdf</span></i> console using the <i><span style="font-weight: normal">stream</span></i>, <i><span style="font-weight: normal">replace</span></i> and <i><span style="font-weight: normal">decode</span></i> commands:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_subject_dec.png"><img border="0" width="450" height="345" alt="Peepdf Black Hat Arsenal Challenge Subject Dec" src="/eternal_files/uploads/peepdf_challenge_blackhat_subject_dec_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">And here we have the &ldquo;<i>x.d</i>&rdquo; function! :) We almost have all the elements we need except the &ldquo;<i>this.info.author</i>&rdquo; element but this is an easy one. Just exploring the info object is enough:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_author.png"><img border="0" width="450" height="333" alt="Peepdf Black Hat Arsenal Challenge Author" src="/eternal_files/uploads/peepdf_challenge_blackhat_author_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">The &ldquo;<i>info.author</i>&rdquo; content looks like Base64 and it is because the &ldquo;<i>x.d</i>&rdquo; function is really just a Base64 decoder but using a modified alphabet. So let's execute all together! You can write all in a separated file on disk and execute it with &ldquo;js_eval&rdquo; from the peepdf console, you can use your favorite Javascript engine or you can do all inside peepdf. Yes, it is possible ;)</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_jseval.png"><img border="0" width="450" height="332" alt="Peepdf Black Hat Arsenal Challenge Javascript Eval" src="/eternal_files/uploads/peepdf_challenge_blackhat_jseval_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">The beautified code is:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<pre><span style="font-size: smaller;">var code = app.response({cQuestion: &quot;Enter the magic code&quot;,cTitle: &quot;Peepdf Challenge&quot;});<br />if (code == calc(app.doc.getAnnots({nPage: 0})[0].subject + this.info.producer)) {<br /> app.alert({cTitle: &quot;Peepdf Challenge&quot;,cMsg: &quot;You got it!! You deserve a peepdf t-shirt!! ;)&quot;});<br /> app.alert({cTitle: &quot;Peepdf Challenge&quot;,cMsg: &quot;But you need to send a small writeup to peepdf at eternal-todo dot com to get one. Just for the three best reports! Go go go! ;)&quot;});<br /> app.alert({cTitle: &quot;Peepdf Challenge&quot;,cMsg: &quot;If you are attending Black Hat just come to my presentation and explain how you solved it. Easier!!&quot;});<br /> app.alert({cTitle: &quot;Peepdf Challenge&quot;,cMsg: &quot;Thanks for playing!! :)&quot;});<br />}<br />else {<br /> app.alert({cTitle: &quot;Peepdf Challenge&quot;,cMsg: &quot;Try again!!&quot;});<br />}</span></pre><p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">As you have probably noticed the interesting bit is this condition:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<pre><span style="font-size: smaller;">if (code == calc(app.doc.getAnnots({nPage: 0})[0].subject + this.info.producer))</span></pre><p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">But if you are still reading you probably know how to solve it, right? We need to execute the &quot;<em>calc</em>&quot; function (object 24) passing the concatenation of the subject of the first annotation and the &ldquo;<em>info.producer</em>&rdquo; and we will have the magic code ;)</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_solution.png"><img border="0" width="450" height="342" alt="Peepdf Black Hat Arsenal Challenge Solution" src="/eternal_files/uploads/peepdf_challenge_blackhat_solution_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/peepdf_challenge_blackhat_win.png"><img border="0" width="450" height="303" alt="Peepdf Black Hat Arsenal Challenge Win" src="/eternal_files/uploads/peepdf_challenge_blackhat_win_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">The objective was using just <i>peepdf</i> to solve this challenge and this is how you can do it ;) Some people sent their response/writeup to solve the challenge so I am pleased to announce that the happy winners of a peepdf t-shirt are:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<ul>
<li>
<p style="margin-bottom: 0cm">Stefano Antenucci (<a href="https://twitter.com/antelox"><strong>Antelox</strong></a>)</p>
</li>
<li>
<p style="margin-bottom: 0cm"><a href="https://dfir.it/"><strong>Piotr Wojtyła</strong></a></p>
</li>
<li>
<p style="margin-bottom: 0cm"><a href="https://twitter.com/___wr___"><strong>William Robinet</strong></a></p>
</li>
</ul>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">I will send you the t-shirt soon! Thanks a lot to all the participants and thanks for taking the time to write your response and send it to me. I hope you enjoyed this challenge :) I want to thank <a href="https://twitter.com/angealbertini">Ange Albertini</a> too for his tips to compress and hide the Javascript code in the JPEG images. He saved me the time I did not have one week before Black Hat ;)</p>
http://eternal-todo.com/blog/peepdf-blackhat-arsenal-pdf-challenge-solution#commentsAnalysisArsenalBlack HatChallengeCTFJavascriptPDFpeepdfToolsWed, 09 Sep 2015 17:05:02 +0000jesparza129 at http://eternal-todo.comBlack Hat Arsenal peepdf challengehttp://eternal-todo.com/blog/peepdf-blackhat-arsenal-pdf-challenge
<style type="text/css">p { margin-bottom: 0.21cm; }a:link { }</style><p style="margin-bottom: 0cm">In one week I will be traveling to Las Vegas to show how <a href="https://www.blackhat.com/us-15/arsenal.html#jose-miguel-esparza">peepdf</a> works in the <a href="http://www.blackhat.com/us-15/presenters/Jose-Miguel-Esparza.html">Black Hat USA</a> <a href="https://twitter.com/netpeas">Arsenal</a>. My time slot will be on <a href="https://www.blackhat.com/us-15/schedule/arsenal-5.html">Wednesday the 5th from 15:30 to 18:00</a>, so you are more than welcome to come by and say hi, ask questions or just talk to me. I will also be presenting some of the work <a href="https://in.linkedin.com/in/rohitdua">Rohit Dua</a> is doing during the <a href="http://eternal-todo.com/blog/peepdf-gsoc-github-blackhat-arsenal">Google Summer of Code</a> (GSoC), <a href="https://www.google-melange.com/gsoc/project/details/google/gsoc2015/rohitdua/5738600293466112">adding a scoring system</a> for <a href="http://eternal-todo.com/tools/peepdf-pdf-analysis-tool">peepdf</a>.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a target="_blank" href="/eternal_files/uploads/blackhat-arsenal.png"><img width="355" height="99" alt="Black Hat Arsenal Peepdf" src="/eternal_files/uploads/blackhat-arsenal.png" /></a></p>
<p style="margin-bottom: 0cm">
&nbsp;</p>
<p style="margin-bottom: 0cm">I wanted to prepare a challenge before my presentation in the <a href="https://twitter.com/toolswatch">Arsenal</a>, so I have been working on that these past days. It is ready now, so I am releasing it today. <a href="http://eternal-todo.com/files/pdf/peepdf_challenge_blackhat.pdf"><b>Download the PDF file and play with it!</b></a> <u>There is no malicious content inside</u> so you can (and you must) open the document with no fear. It is more the classical challenge that you can find in a CTF. I would recommend using versions of Adobe Reader prior to XI to see what you have to see ;) The challenge will finish after my Black Hat presentation and I will publish the winners and the solutions (if they allow me) the days after it. This is how the PDF file looks like:<br />
&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a target="_blank" href="/eternal_files/uploads/peepdf_blackhat_challenge.png"><img border="0" width="450" height="338" alt="peepdf black hat challenge" src="/eternal_files/uploads/peepdf_blackhat_challenge_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">The idea behind the challenge is using <a href="https://twitter.com/peepdf">peepdf</a> for all the analysis if it is possible (<u>grabbing the process memory is not allowed</u>! ;)). You can send your solutions to <i>peepdf at eternal-todo dot com</i>. I don't need a really nice report but I would like to see the steps you followed to solve the challenge, the tools you used (less tools is better!), etc. You can also come to the <a href="http://www.toolswatch.org/2015/06/black-hat-arsenal-usa-2015-speakers-lineup/">Arsenal</a> and tell me your solution ;)</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">I don't have any sponsor (be free to offer you as sponsor!) or impressive prizes so I will send a peepdf t-shirt to the three best and fastest reports/solutions. If you are one of the winners and you are at Black Hat I could even bring something nice for you from the tulip country. But challenges are not about the prizes but about the challenge itself, right? ;) Please, spread the word and I hope you enjoy it!!<br />
&nbsp;</p>
http://eternal-todo.com/blog/peepdf-blackhat-arsenal-pdf-challenge#commentsAnalysisArsenalBlack HatChallengeCTFPDFpeepdfToolsSun, 26 Jul 2015 18:04:06 +0000jesparza128 at http://eternal-todo.compeepdf news: GitHub, Google Summer of Code and Black Hathttp://eternal-todo.com/blog/peepdf-gsoc-github-blackhat-arsenal
<style type="text/css">p { margin-bottom: 0.21cm; }a:link { }</style><p style="margin-bottom: 0cm">Two months ago <a href="http://google-opensource.blogspot.nl/2015/03/farewell-to-google-code.html">Google announced</a> that Google Code was slowly dying: no new projects can be created, it will be read only soon and in January 2016 the project will close definitely. <a href="http://peepdf.eternal-todo.com/">peepdf</a> was <a href="https://code.google.com/p/peepdf/">hosted there</a> so it was time to move to another platform. The code is currently hosted at GitHub, way more active than Google Code:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm"><a href="https://github.com/jesparza/peepdf">https://github.com/jesparza/peepdf</a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">If you are using <a href="https://twitter.com/peepdf">peepdf</a> you must update the tool because it is pointing to Google Code now. After executing <i>&ldquo;<strong>peepdf.py -u</strong>&rdquo;</i> the tool will point to GitHub and it will be able to be up to date with the latest commits. The peepdf Google Code page will also point to GitHub soon.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">Another important announcement is that <a href="https://github.com/rohit-dua">Rohit Dua</a> will be the student who will work with peepdf this summer in the <a href="https://www.google-melange.com/gsoc/project/details/google/gsoc2015/rohitdua/5738600293466112">Google Summer of Code (GSoC)</a>. I initially presented three ideas to improve peepdf through <a href="https://honeynet.org/">The Honeynet Project</a>:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<ul>
<li>
<p style="margin-bottom: 0cm"><a href="https://honeynet.org/gsoc/ideas#project12"><strong>Project 12 - PEEPDF1: Improve PDF filters in peepdf</strong></a></p>
</li>
<li>
<p style="margin-bottom: 0cm"><a href="https://honeynet.org/gsoc/ideas#project13"><strong>Project 13 - PEEPDF2: Adding a scoring system in peepdf</strong></a></p>
</li>
<li>
<p style="margin-bottom: 0cm"><a href="https://honeynet.org/gsoc/ideas#project14"><strong>Project 14 - PEEPDF3: Web interface for peepdf</strong></a></p>
</li>
</ul>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">Unfortunately, no too many slots were assigned to <a href="https://twitter.com/ProjectHoneynet">The Honeynet Project</a> and we had to choose the best proposals for all the projects. Luckily, at least one out of the three peepdf projects will be finished after the summer :) The chosen project was project 13, adding a scoring system. The idea is that peepdf gives a score of maliciousness after parsing and analyzing a PDF document. This score will be the result of weighting several indicators which will be researched during the project like the presence of obfuscated or malformed elements, encryption, Javascript code, etc, etc. I am sure Rohit will do a really great job and this new feature will be really useful to decide faster if a PDF file is harmful or not.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">The project will start on the 26<sup>th</sup> of May and will be finished in mid-August. Keeping in mind that I sent a submission to present peepdf at the <a href="http://www.toolswatch.org/arsenal2015/">Black Hat Arsenal</a> again, that would be a really nice opportunity to show the new functionality to the audience. We will cross fingers to be at the Arsenal again ;)<br />
&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/blackhat-arsenal.png"><img width="355" height="99" alt="Black Hat Arsenal Peepdf" src="/eternal_files/uploads/blackhat-arsenal.png" /></a></p>
http://eternal-todo.com/blog/peepdf-gsoc-github-blackhat-arsenal#commentsAnalysisBlack HatForensicsGSoCMalwarePDFpeepdfToolsVulnerabilitiesTue, 05 May 2015 19:34:38 +0000jesparza127 at http://eternal-todo.comAndromeda/Gamarue bot loves JSON too (new versions details)http://eternal-todo.com/blog/andromeda-gamarue-loves-json
<style type="text/css">p { margin-bottom: 0.21cm; }a:link { }</style><p style="margin-bottom: 0cm">After <a href="http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis">my last post about Andromeda</a> different updates related to version 2.07 and 2.08 appeared. Mostly, Fortinet was talking about the <a href="http://blog.fortinet.com/post/andromeda-2-7-features">version 2.7 features</a> and the <a href="http://blog.fortinet.com/post/new-anti-analysis-tricks-in-andromeda-2-08">new anti-analysis tricks of version 2.08</a>. After that, Kimberly was also mentioning <a href="http://stopmalvertising.com/spam-scams/cve-2013-2729-and-andromeda-2.9-a-massive-hsbc-themed-email-campaign/andromeda-botnet.html">version 2.09 in his blog</a> but I have not seen too many details about the latest versions of Andromeda. This is a summary of the interesting details about the newer versions.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<h2>Andromeda versions</h2>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">After version 2.08, the parameter used to send the bot version to the panel was removed from the POST request, so now it is a bit more difficult to distinguish between versions. An easy way to spot the different versions is taking a look at the request format strings:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<ul>
<li>
<p style="margin-bottom: 0cm"><em><strong>id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu</strong></em> (&lt;=2.06)<em><br />
</em></p>
</li>
<li>
<p style="margin-bottom: 0cm"><em><strong>id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu</strong></em> (2.07/2.08)<em><br />
</em></p>
</li>
<li>
<p style="margin-bottom: 0cm"><em><strong>id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu</strong> </em>(2.09)<em><br />
</em></p>
</li>
<li>
<p style="margin-bottom: 0cm"><em><strong>{&quot;id&quot;:%lu,&quot;bid&quot;:%lu,&quot;os&quot;:%lu,&quot;la&quot;:%lu,&quot;rg&quot;:%lu}</strong> </em>(2.10?)<em><br />
</em></p>
</li>
</ul>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">If the element <em>bv</em> (bot version) is present, it is easy, but if it is not there this trick can help. The latest version I have analyzed uses JSON to communicate with the control panel, but I am not 100% sure if that it is really version 2.10 (advertised in March 2015) or a variation of version 2.09. I say that I am not sure because Alexandru Maximciuc (Bitdefender) spotted one version already in January 2015 and since then there were more botnets using this version and before the advertisement was published in March.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">Nowadays, most of the Andromeda botnets use the leaked version 2.06. Then, the latest version seems to be really popular too, together with version 2.09. The rest of the versions seem to have a lower number of botnets.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<h2>RC4 key and C&amp;C URL decryption</h2>
<p style="margin-bottom: 0cm">&nbsp;<br />
Since version 2.09 Andromeda includes the fake RC4 key <em>754037e7be8f61cbb1b85ab46c7da77d</em>, which is the MD5 hash of &quot;<em>go fuck yourself</em>&quot;. Of course, this is just a distraction for the analysts and the good key is located in a different offset in memory. The RC4 key is used to encrypt the communication with the C&amp;C but in reverse order is also used to decrypt the C&amp;C URLs. I won't give more details about it because <a href="http://byte-atlas.blogspot.nl/2015/04/kf-andromeda-bruteforcing.html"> this blog post explains really well how and where</a> the decrypted URLs are stored in memory.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<h2>Task types removed</h2>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">In the previous versions of Andromeda seven different task types were supported when the bot was asking the C&amp;C for tasks to execute:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<ul>
<li>
<p style="margin-bottom: 0cm">1: Download executable</p>
</li>
<li>
<p style="margin-bottom: 0cm">2: Install plugin</p>
</li>
<li>
<p style="margin-bottom: 0cm">3: Update bot</p>
</li>
<li>
<p style="margin-bottom: 0cm">4: Install DLL</p>
</li>
<li>
<p style="margin-bottom: 0cm">5: Uninstall DLL</p>
</li>
<li>
<p style="margin-bottom: 0cm">6: Delete plugins</p>
</li>
<li>
<p style="margin-bottom: 0cm">9: Kill bot</p>
</li>
</ul>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/andromeda_json_2.07_task_types.png"><img width="271" height="250" alt="" src="/eternal_files/uploads/andromeda_json_2.07_task_types_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">However, since version 2.09 the task types in charge of installing and uninstalling DLLs have been removed:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/andromeda_json_2.09_task_types.png"><img width="450" height="291" alt="" src="/eternal_files/uploads/andromeda_json_2.09_task_types_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<h2>Network Time Protocol (NTP) traffic</h2>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">The latest version of Andromeda uses some NTP domains to obtain the real time and store that in a variable. This timestamp will be incremented by the bot as a time counter and it will be used as the first argument of the function &quot;<em>aStart</em>&quot;, apparently exported by some plugins. The hardcoded NTP domains are:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<pre><span style="font-size: smaller;">europe.pool.ntp.org<br />north-america.pool.ntp.org<br />south-america.pool.ntp.org<br />asia.pool.ntp.org<br />oceania.pool.ntp.org<br />africa.pool.ntp.org<br />pool.ntp.org</span></pre><p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/andromeda_json_ntp_traffic.png"><img width="450" height="69" alt="" src="/eternal_files/uploads/andromeda_json_ntp_traffic_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<h2>C&amp;C requests</h2>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">I was talking above about the request format used to send the different parameters to the control panel. This POST request is encrypted with the RC4 key and used to be encoded with Base64. However, this latest version of Andromeda skips the Base64 encoding and sends the data directly. It also changes the Content-Type header from the usual &ldquo;<em>application/x-www-form-urlencoded</em>&rdquo; to &ldquo;<em>application/octet-stream</em>&rdquo;. Fortunately for the lovers of SNORT rules, it keeps using the same User-Agent, &ldquo;<em>Mozilla/4.0</em>&rdquo;. This is an example of a random sample:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a target="_blank" href="/eternal_files/uploads/andromeda_json_c2c_request.png"><img width="450" height="271" alt="Andromeda 2.09 2.10 C&amp;C request" src="/eternal_files/uploads/andromeda_json_c2c_request_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;<br />
Talking about the C&amp;C response, all the previous versions use the Botid (bid) to decrypt this information. However, the latest version uses the same RC4 key needed to encrypt the request, instead of the Botid.<br />
&nbsp;</p>
<h2>Plugin decryption</h2>
<p></p>
<p style="margin-bottom: 0cm">When the previous Andromeda versions (&lt;=2.09) were installing plugins from a given URL, the bot was decrypting them skipping certain bytes as header and using the RC4 key to decrypt the data from a specific offset. After that aPLib was used to decompress the final DLL. In the latest version the process to decrypt the plugins is slightly more complex:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<ul>
<li>
<p style="margin-bottom: 0cm">Decrypt the header (43 bytes) with the RC4 key</p>
</li>
<li>
<p style="margin-bottom: 0cm">The first DWORD is the XOR key to decrypt the other header values (after the 16<sup>th</sup> byte)</p>
</li>
<li>
<p style="margin-bottom: 0cm">The first 16 bytes are the RC4 key to decrypt the plugin</p>
</li>
<li>
<p style="margin-bottom: 0cm">After that there is an aPLib compression layer too</p>
</li>
</ul>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/andromeda_json_plugin_decryption.png"><img width="450" height="257" alt="" src="/eternal_files/uploads/andromeda_json_plugin_decryption_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;<br />
Since version 2.09 Andromeda added a TeamViewer plugin to its collection and it sends the TeamViewer ID and password to the panel to be able to connect easily to the machine.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<h2>More processes blacklisted</h2>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">He Xu (Fortinet) made a good job when he added a <a href="http://blog.fortinet.com/post/new-anti-analysis-tricks-in-andromeda-2-08">screenshot with the new hashes blacklisted</a> in versions 2.07 and 2.08. I really liked the idea and I did the same with these new versions. I also tried to discover what processes were hidden after these hashes, uncovering all except one :) This is the full list:</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<pre><span style="font-size: smaller;">dd 99DD4432h ; vmwareuser.exe <br />dd 2D859DB4h ; vmwareservice.exe <br />dd 64340DCEh ; vboxservice.exe <br />dd 63C54474h ; vboxtray.exe <br />dd 349C9C8Bh ; sandboxiedcomlaunch.exe <br />dd 3446EBCEh ; sandboxierpcss.exe <br />dd 5BA9B1FEh ; procmon.exe <br />dd 3CE2BEF3h ; regmon.exe <br />dd 3D46F02Bh ; filemon.exe <br />dd 77AE10F7h ; wireshark.exe <br />dd 0F344E95Dh ; netmon.exe <br />dd 2DBE6D6Fh ; prl_tools_service.exe (Parallels) <br />dd 0A3D10244h ; prl_tools.exe (Parallels) <br />dd 1D72ED91h ; prl_cc.exe (Parallels) <br />dd 96936BBEh ; sharedintapp.exe (Parallels) <br />dd 278CDF58h ; vmtoolsd.exe <br />dd 3BFFF885h ; vmsrvc.exe <br />dd 6D3323D9h ; vmusrvc.exe <br />dd 0D2EFC6C4h ; python.exe <br />dd 0DE1BACD2h ; perl.exe <br />dd 3044F7D4h ; ???</span></pre><p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/andromeda_json_process_hashes_list.png"><img width="450" height="208" alt="" src="/eternal_files/uploads/andromeda_json_process_hashes_list_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">As you can see, the version 2.09 includes the same hashes as the version 2.08, but the latest version adds <em>python.exe</em>, <em>perl.exe</em> and another mysterious process to the black list. It would be nice if someone could uncover this missing process. Challenge: CRC32(lower($process)) = 0x3044F7D4; $process = ???<br />
&nbsp;</p>
<h2>Anti-analysis bypass</h2>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">The old Andromeda versions used to include a nice bypass of the anti-analysis routine. If the CRC32 checksum of the system drive volume name was <strong>0x20C7DD84</strong> then the bot was executing correctly even if it was running in a virtual environment. The latest version has removed this bypass but it includes a different one. It is a bit more annoying to set it up, but not really difficult.</p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p class="rtecenter" style="margin-bottom: 0cm"><a target="_blank" href="/eternal_files/uploads/andromeda_json_anti_analysis.png"><img width="450" height="487" alt="" src="/eternal_files/uploads/andromeda_json_anti_analysis_0.png" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p style="margin-bottom: 0cm">You need to create a value &ldquo;<em>is_not_vm</em>&rdquo; with a DWORD equal to the botid in the registry key &ldquo;<em>HKEY_LOCAL_MACHINE\SOFTWARE\Policies</em>&rdquo;. After that even if you are executing the blacklisted processes it will infect correctly.<br />
&nbsp;</p>
<h2>More fun!</h2>
<p>
It seems that the development of Andromeda continues and they keep adding more functionalities and new features to the bot. It is always fun taking a look at the new additions, so I am looking forward to the next version already ;) I want more fun! :)</p>
<p>&nbsp; <br />
<strong>b4da6909cf8b5e3791fc5be398247570 (latest)<br />
511e1a70e071ef059e07ff92cba4fe70 (2.09)<br />
9048e3797b1b24e83be5cf6f6a18fcb0 (2.08)<br />
d7c00d17e7a36987a359d77db4568df0 (2.07)<br />
a6dd2204319d5fc96995bbbb22a41960 (2.06)</strong><br />
&nbsp;<br />
&nbsp;</p>
<h2>Update (2015-05-05)</h2>
<p>
On the 24th of April <a href="https://twitter.com/thedude13">@thedude13</a> found an Andromeda variant sending a new parameter to the control panel:<br />
&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/andromeda_thedude13_tweet.png"><img width="350" height="165" alt="New Andromeda parameter bb tweet" src="/eternal_files/uploads/andromeda_thedude13_tweet_0.png" /></a></div>
<p>&nbsp; <br />
This variant (<strong>c73190c0b99109155df4c4c1006da43d</strong>) adds the parameter <em>&quot;bb&quot;</em> to the request format string:&nbsp;&nbsp; <strong></strong></p>
<p></p>
<ul>
<li><strong>{&quot;id&quot;:%lu,&quot;bid&quot;:%lu,&quot;os&quot;:%lu,&quot;la&quot;:%lu,&quot;rg&quot;:%lu,&quot;bb&quot;:%lu</strong><strong>}</strong></li>
</ul>
<p>
Digging a bit in the code we can see that this new parameter is a flag specifying if the infected system uses a &quot;friendly&quot; keyboard layout (bb_flag = 1). The list of cool countries considered friends by Andromeda are: Russia, Ukraine, Belarus and Kazakhstan.<br />
&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/andromeda_bb_flag_explanation.png"><img width="500" height="167" alt="Andromeda bb parameter" src="/eternal_files/uploads/andromeda_bb_flag_explanation_0.png" /></a></div>
<p>&nbsp;<br />
This flag, besides being sent to the panel, will be checked in several locations in the code. If it is set:</p>
<ul>
<li>It will not assure persistence of the bot after the system shuts down.</li>
<li>No tasks will be executed in the infected system, meaning that no plugins/udpates will be installed and no additional malware will be dropped.</li>
<li>It will not disable security services and system notifications.</li>
<li>It will not disable UAC.</li>
<li>It will not generate NTP traffic and it will not hook the <em>NtMapViewOfSection</em> function.</li>
</ul>
<p>&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/andromeda_bb_flag_check.png"><img width="550" height="419" alt="Andromeda checking the bb flag" src="/eternal_files/uploads/andromeda_bb_flag_check_0.png" /><br />
&nbsp; <br />
&nbsp; <br />
</a></div>
<div class="rteleft">&nbsp;
<h2>Update (2015-07-26)</h2>
<p>
In the paragraph related to the new processes blacklisted I was asking for some help to discover which process name was related to the CRC32 value <span style="color: rgb(187, 187, 187); font-family: 'Helvetica neue', Helvetica, Arial, Verdana, sans-serif; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none; background-color: rgb(25, 28, 33);">0x3044F7D4</span>. After some tries with well-known security tools I&nbsp;was not able to uncover it. I&nbsp;did not try with processes related to AV software though. Yesterday, a new comment was added by <em>snemes</em> solving the mystery (kudos to him!!). The process name <strong>avpui.exe (Kaspersky)</strong> has that specific CRC32 value :) This process is not the AV engine itself but the graphic interface (separated processes since Kaspersky Internet Security 2014). That's curious. Another question could be why Andromeda checks just for that Kaspersky process name and not for other AV products...:?<br />
&nbsp;</p></div>
<p>&nbsp;</p>
http://eternal-todo.com/blog/andromeda-gamarue-loves-json#commentsAnalysisAndromedaBotnetGamarueMalwareReversingThu, 16 Apr 2015 23:47:00 +0000jesparza126 at http://eternal-todo.comQuick analysis of the CVE-2013-2729 obfuscated exploitshttp://eternal-todo.com/blog/CVE-2013-2729-obfuscated-pdf-exploits
<div class="rtejustify">Some months ago <a href="http://eternal-todo.com/blog/cve-2013-2729-exploit-zeusp2p-gameover">I analyzed some PDF exploits that I received via SPAM mails</a>. They contained the vulnerability CVE-2013-2729 leading to a ZeuS-P2P / Gameover sample. Back in June I received more PDF exploits, containing the same vulnerability, but in these cases it was a bit more difficult to extract the shellcode because the code was obfuscated. This is what we can see taking a look at the file <em>account_doc~9345845757.pdf</em> (9cd2118e1a61faf68c37b2fa89fb970c) with <a href="http://peepdf.eternal-todo.com/"><em><strong>peepdf</strong></em></a>:</div>
<p>&nbsp;</p>
<div class="rtecenter"><a href="/eternal_files/uploads/01_CVE-2013-2729_wells_pdf_peepdf.png" target="_blank"><img width="425" height="352" src="/eternal_files/uploads/01_CVE-2013-2729_wells_pdf_peepdf_0.png" alt="" /></a></div>
<p>&nbsp;<br />
It seems that they used the same PDF exploit and they just added the obfuscation, because if we compare the <a href="https://twitter.com/peepdf"><em><strong>peepdf</strong></em></a> output for the <a href="http://eternal-todo.com/eternal_files/uploads/06_cve-2013-2729_peepdf_detection.png">previous exploits</a> we can see the same number of objects, same number of streams, same object ids, same id for the catalog, etc. After extracting the suspicious object (1) you can spot the shellcode easily, but some modifications are needed:<br />
&nbsp;</p>
<pre><span style="color: rgb(0, 255, 0);"><span style="font-size: smaller;">PPDF&gt;</span></span><span style="font-size: smaller;"> object 1 &gt; object1_output.txt</span></pre><p>&nbsp;<br />
We can see two &ldquo;images&rdquo; encoded with Base64:<br />
&nbsp;</p>
<div class="rtecenter"><a href="/eternal_files/uploads/02_CVE-2013-2729_wells_image_peepdf.png" target="_blank"><img width="450" height="320" src="/eternal_files/uploads/02_CVE-2013-2729_wells_image_peepdf_0.png" alt="" /></a></div>
<p>&nbsp;<br />
And then an interesting array (<em>&quot;bhf&quot;</em>), which seems to contain a shellcode. I say that just guessing, after taking a look at the second pair of characters (EB), a JMP instruction in x86 Assembler:<br />
&nbsp;</p>
<div class="rtecenter"><a href="/eternal_files/uploads/03_CVE-2013-2729_wells_shellcode_array_peepdf.png" target="_blank"><img width="450" height="315" src="/eternal_files/uploads/03_CVE-2013-2729_wells_shellcode_array_peepdf_0.png" alt="" /></a></div>
<p>&nbsp;<br />
If we look for references to that array (<em>&quot;bhf&quot;</em>) we find this:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">var hKrM = Pript1.P6W(Pript1.kQNt1(ezJ.bhf));</span></pre><p>&nbsp;<br />
The function <em>&quot;kQNt1&quot;</em> converts our array in a unique string of escaped unicode characters, which is then passed as argument to the function <em>&quot;P6W&quot;</em>. This other function is defined here:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">var P6W = yo(ezJ.rk[2] + ezJ.rk[3] + ezJ.rk[4]); // P6W = eval(&ldquo;unescape&rdquo;) = unescape</span></pre><p>&nbsp;<br />
And the <em>&quot;rk&quot;</em> array contains:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">var rk = [&quot;ev&quot;, &quot;al&quot;, &quot;un&quot;, &quot;esc&quot;, &quot;ape&quot;, &quot;Str&quot;, &quot;ing.&quot;, &quot;fro&quot;, &quot;mCharC&quot;, &quot;ode&quot;];</span></pre><p>&nbsp;<br />
The <em>&quot;yo&quot;</em> function is defined here:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">var yo = eval(ezJ.rk[0] + ezJ.rk[1]); // yo = eval</span></pre><p>&nbsp;<br />
So it is just executing <em>&quot;unescape&quot;</em> with our escaped characters. We can create a Javascript file just containing the <em>&quot;bhf&quot;</em> array and the function <em>&quot;kQNt1&quot;</em> to obtain the result:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">function kQNt1(s){<br /> ...<br />}<br />var bhf = [&quot;06eb0000000005...&rdquo;];<br />print(kQNt1(bhf));</span></pre><p>&nbsp;<br />
Then with the result we can use the command <a href="https://code.google.com/p/peepdf/wiki/Commands#js_unescape"><em><strong>js_unescape</strong></em></a> to obtain the shellcode:<br />
&nbsp;</p>
<pre><span style="color: rgb(0, 255, 0);"><span style="font-size: smaller;">PPDF&gt;</span></span><span style="font-size: smaller;"> set escaped_shellcode &quot;%u06eb%u0000...&rdquo;<br /><span style="color: rgb(0, 255, 0);">PPDF&gt;</span> js_unescape variable escaped_shellcode</span></pre><p>&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/04_CVE-2013-2729_wells_peepdf_unescape.png" target="_blank"><img width="450" height="328" src="/eternal_files/uploads/04_CVE-2013-2729_wells_peepdf_unescape_0.png" alt="" /></a></div>
<p>&nbsp; <br />
In this case this shellcode contained the following URL and it was downloading an Andromeda sample:<br />
&nbsp;&nbsp;</p>
<pre><span style="font-size: smaller;">hxxp://88.190.45.44/images/bannier1/Andr.exe (71fe6902d67ac50828fb67d90f09fdd7)</span></pre><p>&nbsp; <br />
The Andromeda C&amp;C was:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">hxxp://disk57.com/gate.php (188.190.117.93)</span></pre><p>&nbsp; <br />
After two months from this campaign, there was another campaign, dropping Dyre / Dyreza and NewGOZ (new Gameover ZeuS without P2P). In that case there was one more level of obfuscation, the shellcode array was not visible. I mentioned above that there were two &ldquo;images&rdquo; encoded with Base64, they contained the ROP offsets and other variables needed for the exploitation. In this new campaign there were two encoded &ldquo;images&rdquo; too, but not with Base64 this time, too easy ;p<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">hCS(sRi(xfa.resolveNode(&quot;Image10&quot;).rawValue));</span></pre><p>&nbsp;<br />
Here the function <em>&quot;sRi&quot;</em> is the important one, being <em>&quot;hCS&quot;</em> the <em>&quot;eval&quot;</em> function. The function <em>&quot;sRi&quot;</em> decodes the &ldquo;images&rdquo;, but it contains obfuscated variables, so it is a bit annoying performing the static analysis. However, following a bit the execution flow and doing some changes in the code we obtain <a href="http://pastebin.com/c8UFhWk0">this clean version</a>:<br />
&nbsp;</p>
<div class="rtecenter"><a href="/eternal_files/uploads/05_CVE-2013-2729_obfuscated_function.png" target="_blank"><img width="400" height="236" src="/eternal_files/uploads/05_CVE-2013-2729_obfuscated_function_0.png" alt="" /></a></div>
<p>&nbsp;<br />
After decoding the first image we quickly see the shellcode variable again:<br />
&nbsp;</p>
<div class="rtecenter"><a href="/eternal_files/uploads/06_CVE-2013-2729_obfuscated_shellcode.png" target="_blank"><img width="425" height="336" src="/eternal_files/uploads/06_CVE-2013-2729_obfuscated_shellcode_0.png" alt="" /></a></div>
<p>&nbsp;<br />
And using the <a href="https://code.google.com/p/peepdf/wiki/Commands#js_unescape"><em><strong>js_unescape</strong></em></a> command:<br />
&nbsp;</p>
<div class="rtecenter"><a href="/eternal_files/uploads/07_CVE-2013-2729_obfuscated_commands.png" target="_blank"><img width="450" height="354" src="/eternal_files/uploads/07_CVE-2013-2729_obfuscated_commands_0.png" alt="" /></a></div>
<p>&nbsp; <br />
Resulting in a NewGOZ sample being downloaded from the following URL:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">hxxp://kampungnasi.com/111.exe (139aded90404e7566d4ece8ba1ba43aa)</span></pre><p>&nbsp;<br />
If you want to learn how to do this type of analysis, you can come tomorrow to my <a href="https://www.blackhat.com/eu-14/briefings.html#pdf-attack-a-journey-from-the-exploit-kit-to-the-shellcode">workshop at Black Hat Europe</a> (this <a href="https://www.blackhat.com/eu-14/schedule/briefings-17.html">Friday at 9:00</a>). I will be there two hours demoing different exercises, really practical! ;) How good are you? Check it on Friday! :)</p>
http://eternal-todo.com/blog/CVE-2013-2729-obfuscated-pdf-exploits#commentsAnalysisDyreJavascriptMalwarePDFpeepdfShellcodeVulnerabilitiesThu, 16 Oct 2014 01:53:33 +0000jesparza125 at http://eternal-todo.comDissecting SmokeLoader (or Yulia's sweet ass proposition)http://eternal-todo.com/blog/smokeloader-analysis-yulia-photo
<p>In mid-August I started receiving some emails from Yulia. She wanted me to take a look at her sweet ass:<br />
&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/00_smokeloader_spam.png"><img border="0" width="425" height="269" alt="SmokeLoader spam" src="/eternal_files/uploads/00_smokeloader_spam_0.png" /><br />
</a></div>
<div class="rteleft">&nbsp;</div>
<p>I was not sure about it, but after receiving some more emails like this I took a look (I received the last one on the 10th of September). Then I found out that this was the beginning of a SmokeLoader campaign, I was really disappointed :( Out of spite, I started analyzing it ;p</p>
<p>These are some of the headers and the message body:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">Date: Wed, 13 Aug 2014 12:55:56 -0400<br />From:&nbsp;&nbsp; &quot;Yulia&quot; &lt;negligentjsd185@dialectologic.in&gt;<br />Subject: My new&nbsp; photo<br /><br />Hi it is Yulia fuck me ass at night. Look at my sweet ass on a photo I wait for you</span></pre><p>&nbsp; <br />
I don't want to duplicate the information already published about this loader, so you can check the <a href="http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html">post published in July by StopMalvertising</a> and <a href="http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/">what my colleague Michael Sandee said about it in 2012</a>. Since then, SmokeLoader (known as Dofoil too) has modified the encryption to communicate with the C&amp;C, added some extra plugins, etc.</p>
<p>After executing the binary you can easily spot that something is happening in your computer because you can see some strange POST requests to some known URLs. These URLs are extracted from the registry, opening the key <em>Software\Microsoft\Windows\CurrentVersion\Uninstall</em> and looking at the values of <em>HelpLink</em> and <em>URLInfoAbout</em> for the installed programs. &nbsp; <br />
&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/01_smokeloader_traffic.png"><img border="0" width="425" height="269" alt="SmokeLoader traffic" src="/eternal_files/uploads/01_smokeloader_traffic_0.png" /></a></div>
<p>&nbsp; <br />
Really, first you see a GET request to <em>http://www.msn.com/</em>, then a &ldquo;random&rdquo; number of POST requests with encoded data sent to familiar sites for you, the malware communication and, finally, a &ldquo;random&rdquo; number of POST requests again. I guess this is just to hide the real communication but sending strange POST requests is not really a good way to hide it...</p>
<p>It is possible that you don't see any request. If this is the case then you have been detected by our friend ;) The binary includes an anti-analysis function and you will end up in an endless loop if you are not able to pass all the checks. <br />
&nbsp;&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/03_smokeloader_anti_analysis.png"><img border="0" width="382" height="275" alt="SmokeLoader antianalysis" src="/eternal_files/uploads/03_smokeloader_anti_analysis_0.png" /></a></div>
<p>&nbsp; <br />
SmokeLoader performs the following checks (some of them are mentioned <a href="http://research.zscaler.com/2014/01/the-story-of-trojan-dropper-iii.html">here</a>):</p>
<ul>
<li>Checks if the module filename contains &ldquo;sample&rdquo;.</li>
<li>Checks if the C: volume serial number is 0xCD1A40 (<em>ThreatExpert</em>) or 0x70144646 (<em>Malwr</em>).</li>
<li>Checks if the modules &ldquo;sbiedll&rdquo; (<em>Sandboxie</em>) and &ldquo;dbghelp&rdquo; are loaded.</li>
<li>Checks the disk enum key (<em>System\CurrentControlSet\Services\Disk\Enum</em>) looking for:
<ul>
<li>qemu</li>
<li>virtual</li>
<li>vmware</li>
<li>xen</li>
</ul>
</li>
<li>Checks if <em>AutoItv3</em>, <em>CCleaner</em> and <em>WIC</em> are installed looking in the registry (<em>Software\Microsoft\Windows\CurrentVersion\Uninstall</em>). It seems that <a href="http://joe4security.blogspot.nl/2014_07_01_archive.html"><strong>this is a fingerprint for Joe Sandbox</strong></a>.</li>
</ul>
<p>&nbsp;&nbsp; &nbsp; <br />
In order to know if it is being running in a 64-bits operating system it checks the segment register GS: <br />
&nbsp;&nbsp;&nbsp; </p>
<pre><span style="font-size: smaller;">mov ax, gs<br />test ax, ax<br />jz short loc_2934D0<br />inc ds:is64Bits</span> </pre><p>&nbsp; <br />
Depending on that it will use a different way to inject in <em>explorer.exe</em> and then to create an additional <em>svchost.exe</em> process. This is well explained in the third step of this <a href="http://blogs.avg.com/news-threats/zeus-bot-czech-republic/">AVG blog post talking about ZeuS</a> (one of these techniques uses the functions <em>FindWindow</em>, <em>GetWindowLongA</em> and <em>SetWindowLongA</em>). It seems that this part of the code was copy/pasted too...</p>
<p>After these steps, the malware is initialized, setting up the User-Agent (by default, <em>Mozilla/4.0</em>), sending the GET request to MSN, creating the botid, the mutex, etc. Then is when the fun starts, sending these fake POST requests and finally communicating with the C&amp;C. &nbsp; <br />
&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/05_smokeloader_init.png"><img border="0" width="450" height="320" alt="SmokeLoader Main function" src="/eternal_files/uploads/05_smokeloader_init_0.png" /></a></div>
<p>&nbsp; <br />
The server URLs are hardcoded in the binary, using some basic XOR operations to encode the data. There are at least two blocks with the following format: &nbsp;&nbsp; <br />
&nbsp;</p>
<pre><span style="font-size: smaller;">[XOR_BYTE_KEY][BYTE2][BYTE3][BYTE3][SIZE][DATA]</span></pre><p>&nbsp; <br />
One block could be the main URL and the other the backup URL, but in the samples that I have analyzed both blocks contain the same URLs. Every 10 minutes a POST request is sent to the SmokeLoader C&amp;C, looking for new tasks. The request data has this format:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">cmd=getload&amp;login=$BOTID&amp;sel=jopa1&amp;ver=5.1&amp;bits=0&amp;admin=1&amp;hash=&amp;r=$GARBAGE</span></pre><p>&nbsp;</p>
<ul>
<li><em>cmd</em>: Command sent to the panel.</li>
<li><em>login</em>: botid with format %08X%08X%08X%08X%08X.</li>
<li><em>sel</em>: seller id. It is hardcoded in the binary and identifies the user related to the campaign.</li>
<li><em>ver</em>: OS version.</li>
<li><em>bits</em>: If the OS is 64-bits or not.</li>
<li><em>admin</em>: If the malware is running with Admin privileges or not.</li>
<li><em>hash</em>: Disk binary hash (in the case it is a persistent version).</li>
<li><em>r</em>: Just garbage data. This is the only parameter included in the fake requests mentioned above.</li>
</ul>
<p>&nbsp;&nbsp; <br />
This data is encrypted with a modified version of RC4, resulting in a block like this: <br />
&nbsp;</p>
<pre><span style="font-size: smaller;">[SIZE][KEY][ENCRYPTED_DATA]</span></pre><p>&nbsp; <br />
Then a 404 response is received, but containing interesting data. This data is divided in a first block of digits, terminated with a null byte, and an encrypted block. The block of digits can be easily decoded taking 3-digits groups and converting them to their corresponding bytes (&ldquo;214&rdquo;=0xD6). The first resultant byte is the XOR key to be used with the rest. <br />
&nbsp;&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/04_smokeloader_response.png"><img border="0" width="350" height="378" alt="SmokeLoader response" src="/eternal_files/uploads/04_smokeloader_response_0.png" /></a></div>
<p>&nbsp; <br />
After decoding the response we obtain something like this:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">Smk<span style="color: rgb(255, 0, 0);">0</span>|:|socks_rules=127.0.0.1|:||:|hosts_rules=127.0.0.1 localhost|:||:|plugin_size=60500</span></pre><p>&nbsp; <br />
Depending on the character located in the 4th position (&ldquo;0&rdquo; in this case) the loader will perform a different action, asking for additional binaries to be installed, updating itself, removing itself from the system, etc. The second block received in the 404 response contains some plugins encrypted with the same modified RC4 algorithm. There is a 21-byte header and then another 21-byte header per plugin. The plugin header has the following format:&nbsp;<br />
&nbsp; &nbsp;</p>
<pre><span style="font-size: smaller;">[PLUGIN_SIZE(4)][PLUGIN_TYPE(1)][KEY(16)]</span></pre><p>&nbsp; <br />
Besides being encrypted, the plugins are also compressed with UPX and all of them are exporting the function &quot;<em>Work</em>&quot;. These are the plugins that I have seen so far:<br />
&nbsp;</p>
<ul>
<li><em>AVInfo.dll</em>: It is a Delphi plugin which uses the <a href="http://theroadtodelphi.wordpress.com/2011/02/18/getting-the-installed-antivirus-antispyware-and-firewall-software-using-delphi-and-the-wmi/"><strong>Windows Management Instrumentation (WMI) to obtain the installed Antivirus and Firewall products</strong></a>. If the Antivirus product is not detected that way, it checks the running processes to find Antivirus processes:
<ul>
<li>avp.exe&nbsp; (Kaspersky)</li>
<li>ccsvchst.exe&nbsp; (Norton)</li>
<li>dwservice.exe&nbsp; (DrWeb)</li>
<li>dwengine.exe&nbsp; (DrWeb)</li>
<li>avgnt.exe&nbsp; (Avira)</li>
<li>avguard.exe&nbsp; (Avira)</li>
<li>malwaredefender.exe (Malware Defender)</li>
</ul>
</li>
</ul>
<div>&nbsp;</div>
<div class="rteindent1">After gathering this information, it is reported to the control panel using this format: &ldquo;<em>cmd=avinfo&amp;login=%s&amp;info=%s777%s</em>&rdquo;. The Antivirus and Firewall product names are separated by &ldquo;777&rdquo;.</div>
<div>&nbsp;</div>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/05_smokeloader_avinfo.png"><img width="425" height="184" alt="SmokeLoader AV info" src="/eternal_files/uploads/05_smokeloader_avinfo_0.png" /></a></div>
<div>&nbsp;</div>
<ul>
<li><em>FTPGrab.dll</em>: This module injects code in every process in execution, decoding another plugin called <em>Grabber.dll</em>. This new plugin will hook the functions &ldquo;<em>send</em>&rdquo; and &ldquo;<em>WSASend</em>&rdquo; to collect users/passwords for the FTP, POP3, SMTP and IMAP protocols. Then it will include this information in the request &ldquo;<em>cmd=ftpgrab&amp;login=%s&amp;grab=</em>&rdquo; and adding the following lines:
<ul>
<li>pop3://%s:%s@%s:%d</li>
<li><a href="ftp://%s:%s@%s:%d" title="ftp://%s:%s@%s:%d">ftp://%s:%s@%s:%d</a></li>
<li>imap://%s:%s@%s:%d</li>
<li>smtp://%s:%s@%s:%d</li>
</ul>
</li>
</ul>
<div>&nbsp;</div>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/06_smokeloader_grabber_hooks.png"><img width="425" height="349" alt="SmokeLoader Grabber.dll hooks" src="/eternal_files/uploads/06_smokeloader_grabber_hooks_0.png" /></a></div>
<div>&nbsp;</div>
<ul>
<li><em>shell.dll</em>: If the server response includes the &ldquo;<em>shell_rules</em>&rdquo; parameter, then the command specified is executed and the result is sent to the panel, encoded with Base64. The request used for this will be &ldquo;<em>cmd=getshell&amp;login=%s&amp;shell=$RESULT&amp;run=ok</em>&rdquo;.</li>
</ul>
<p>&nbsp; <br />
These plugins are stored on disk encrypted with the same modified RC4 algorithm, using the botid as key. Besides these, there is another plugin, called <em>Rootkit.dll</em>, used to hook the functions <em>ZwQuerySystemInformation</em>, <em>ZwQueryDirectoryFile</em> and <em>ZwEnumerateValueKey</em> to try to hide the malware process, files and registry keys. <br />
&nbsp;&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/07_smokeloader_rootkit.png"><img width="400" height="266" alt="SmokeLoader Rootkit.dll" src="/eternal_files/uploads/07_smokeloader_rootkit_0.png" /></a></div>
<p>&nbsp; <br />
These are some of the samples used to write this blog post: &nbsp; <br />
&nbsp;</p>
<pre><span style="font-size: smaller;">4fe5f69ca1ab813e829479004f262ccd<br />db3745ec149818567de5d2dfc3477d25<br />a4b7e8bf966ee5c6e2c731e9047968d4<br />e1ee0990ffd0da3df13c1206a6bb9a4b<br />86ca12376ab5e27534029d23b2952a28</span></pre><p>&nbsp;<br />
The C&amp;C URLs related to these binaries are: &nbsp; <br />
&nbsp; </p>
<pre><span style="font-size: smaller;">hxxp://joppwer.in/<br />hxxp://offnamerty.ru/<br />hxxp://jtp888888.ru/</span></pre><p>&nbsp;</p>
http://eternal-todo.com/blog/smokeloader-analysis-yulia-photo#commentsAnalysisDofoilMalwareReversingSmokeLoaderSpamSun, 05 Oct 2014 20:03:23 +0000jesparza123 at http://eternal-todo.comReleased peepdf v0.3http://eternal-todo.com/blog/peepdf-v0.3-new-release
<style type="text/css">P { margin-bottom: 0.1cm; }A:link { }</style><p style="margin-bottom: 0cm" class="rtejustify"><span lang="en-US">After some time without releasing any new version here is <a href="http://eternal-todo.com/files/pdf/peepdf/peepdf_0.3.zip">peepdf v0.3</a>. It is not that I was not working in the project, but since <a href="http://code.google.com/p/peepdf/wiki/Execution#Updating_peepdf">the option to update the tool from the command line was released</a> creating new versions became a secondary task. Besides this, since January 2014 <a href="http://google-opensource.blogspot.nl/2013/05/a-change-to-google-code-download-service.html">Google removed the option to upload new downloads to the Google Code projects</a>, so I had to figure out how to do it. From now on, all new releases will be hosted at <a href="http://peepdf.eternal-todo.com/">eternal-todo.com</a>, in the <a href="http://eternal-todo.com/tools/peepdf-pdf-analysis-tool#releases">releases section</a>.</span></p>
<p style="margin-bottom: 0cm" class="rtejustify">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtejustify"><span lang="en-US">The differences with version 0.2 are noticeable: new commands and features have been added, some libraries have been updated, detection for more vulnerabilities have been added, a lot of bug fixes, etc. This is the list of the most important changes (<a href="http://peepdf.googlecode.com/svn/trunk/CHANGELOG">full changelog here</a>):</span></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<ul>
<li>
<p style="margin-bottom: 0cm">Replaced Spidermonkey with PyV8 as the Javascript engine (<a href="http://eternal-todo.com/blog/pdf-attack-journey-exploitkit-shellcode"><strong>see why here</strong></a>).</p>
</li>
<li>
<p style="margin-bottom: 0cm">New command <i>&ldquo;<a href="http://code.google.com/p/peepdf/wiki/Commands#vtcheck"><strong>vt_check</strong></a>&rdquo;</i> to show VirusTotal detection (API key included). The sample is not sent to VT just hashes.</p>
</li>
<li>
<p style="margin-bottom: 0cm">Added detection for CVE-2010-0188, CVE-2010-2883, CVE-2013-0640, CVE-2013-2729 and CVE-2013-3346.</p>
</li>
<li>
<p style="margin-bottom: 0cm">Updated <a href="https://pypi.python.org/pypi/colorama"><em><strong>colorama</strong></em></a> to version 3.1.</p>
</li>
<li>
<p style="margin-bottom: 0cm">New option to avoid automatic execution of Javascript code (-m). Useful to avoid endless loops related to heap spraying.</p>
</li>
<li>
<p style="margin-bottom: 0cm">New command <i>&ldquo;<a href="http://code.google.com/p/peepdf/wiki/Commands#js_jjdecode"><strong>js_jjdecode</strong></a>&rdquo;</i> to decode Javascript code using the <a href="http://utf-8.jp/public/jjencode.html"><strong><i>jjencode</i> algorithm</strong></a>.</p>
</li>
<li>
<p style="margin-bottom: 0cm">New command <i>&ldquo;<a href="http://code.google.com/p/peepdf/wiki/Commands#js_vars"><strong>js_vars</strong></a>&rdquo;</i> to show the variables defined in the Javascript context and their content.</p>
</li>
<li>
<p style="margin-bottom: 0cm">More complete description of the exploits found.</p>
</li>
</ul>
<p style="margin-bottom: 0cm; font-variant: normal">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtecenter"><a href="/eternal_files/uploads/peepdf_cve-2013-0640.png" target="_blank"><img border="0" width="425" height="257" src="/eternal_files/uploads/peepdf_cve-2013-0640_0.png" alt="peepdf detecting CVE-2013-0640" /></a></p>
<p style="margin-bottom: 0cm">&nbsp;</p>
<p lang="es-ES" style="margin-bottom: 0cm" class="rtejustify"><span lang="en-US">Another change in this version is that it is not possible to use the command </span><span lang="en-US"><i>&ldquo;set output&rdquo;</i></span><span lang="en-US"> to redirect the output from the interactive console anymore. Some time ago I added the <a href="http://eternal-todo.com/blog/extract-streams-shellcode-peepdf">command-line-like redirection (&quot;&gt;&quot;, &quot;&gt;&gt;&quot;, &quot;$&gt;&quot; y &quot;$&gt;&gt;&quot;)</a>, so the command &ldquo;set output&rdquo; was not longer useful and a bit deprecated.</span></p>
<p style="margin-bottom: 0cm" class="rtejustify">&nbsp;</p>
<p lang="es-ES" style="margin-bottom: 0cm" class="rtejustify"><span lang="en-US">Besides this, it is important to highlight that a bug related to the interactive console prompt was fixed. The history commands were being truncated and messed up in Unix systems, due to the use of the <a href="http://cnswww.cns.cwru.edu/php/chet/readline/rltop.html">GNU Readline library</a> and a <a href="http://bugs.python.org/issue17337">bug related to not handling colorized prompts correctly</a>. Well, it was partially fixed, because, although it works well in Linux systems, machines running Mac OS X keep having the same issue. The problem is that this operating system uses <a href="http://thrysoee.dk/editline/">Editline</a> instead of GNU Readline to manage the interactive console and it seems they don't have a fix for this. If someone knows a workaround to solve this, please contact me, you will make me happy ;)</span></p>
<p style="margin-bottom: 0cm" class="rtejustify">&nbsp;</p>
<p style="margin-bottom: 0cm" class="rtejustify">I am already thinking in the new version, including detection for more exploits/vulnerabilities, JSON output (it seems that XML is not cool anymore, or some years ago ;p), improvements in the execution of Javascript code and fixes for the new bugs found.</p>
<p style="margin-bottom: 0cm" class="rtejustify">&nbsp;</p>
<p lang="es-ES" style="margin-bottom: 0cm" class="rtejustify"><span lang="en-US">If you don't have </span><a href="http://twitter.com/peepdf"><span lang="en-US"><i>peepdf</i></span></a><span lang="en-US"> in your system it is possible to <a href="http://eternal-todo.com/tools/peepdf-pdf-analysis-tool#releases">download the package here</a> (<a href="http://eternal-todo.com/files/pdf/peepdf/peepdf_0.3.zip">ZIP</a> or <a href="http://eternal-todo.com/files/pdf/peepdf/peepdf_0.3.tar.gz">TAR.GZ</a>). As usual, I wait for your feedback and your bug reports to continue improving the tool. Thanks a lot!</span></p>
http://eternal-todo.com/blog/peepdf-v0.3-new-release#commentsAnalysisExploitsJavascriptPDFpeepdfShellcodeToolsVulnerabilitiesMon, 16 Jun 2014 17:38:25 +0000jesparza121 at http://eternal-todo.comSpammed CVE-2013-2729 PDF exploit dropping ZeuS-P2P/Gameoverhttp://eternal-todo.com/blog/cve-2013-2729-exploit-zeusp2p-gameover
<div class="rtejustify">I am used to receive SPAM emails containing zips and exes, even &quot;PDF files&quot; with double extension (<em>.pdf.exe</em>), but some days ago I received an email with a PDF file attached, without any <em>.exe</em> extension and it didn't look like a Viagra advertisement. Weird. I didn't have time to take a look at it, but the next day I received another one, with a different subject. The subject of the first email was &ldquo;<em>Invoice 454889 April</em>&rdquo; from <em>Sue Mockridge (motherlandjjw949 at gmail.com)</em> attaching <em>&ldquo;April invoice 819953.pdf&rdquo;</em> (eae0827f3801faa2a58b57850f8da9f5), and the second one <em>&ldquo;Image has been sent jesparza&rdquo;</em> from <em>Evernote Service</em> (<em>message at evernote.com</em>, but really <em>protectoratesl9 at gmail.com</em>) attaching <em>&ldquo;Agreemnet-81220097.pdf&rdquo; (2a03ac24042fc35caa92c847638ca7c2)</em>.</div>
<p>&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/01_cve-2013-2729_invoice_email.png"><img border="0" width="425" height="306" alt="cve-2013-2729_invoice_email" src="/eternal_files/uploads/01_cve-2013-2729_invoice_email_0.png" /></a></div>
<p>&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/02_cve-2013-2729_evernote_email.png"><img border="0" width="425" height="305" alt="cve-2013-2729_evernote_email" src="/eternal_files/uploads/02_cve-2013-2729_evernote_email_0.png" /></a></div>
<p>&nbsp;<br />
At this point I was really curious so I took a look at them with <a href="http://peepdf.eternal-todo.com/"><em><strong>peepdf</strong></em></a>. <br />
&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/03_cve-2013-2729_peepdf_error.png"><img border="0" width="425" height="345" alt="cve-2013-2729_peepdf_error" src="/eternal_files/uploads/03_cve-2013-2729_peepdf_error_0.png" /></a></div>
<p>&nbsp;<br />
At that moment I only saw a suspicious <em>/AcroForm</em> element, but nothing more. This element was referencing object 1, not shown due to a bug in <a href="https://twitter.com/peepdf"><em><strong>peepdf</strong></em></a>.<br />
&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/04_cve-2013-2729_xfa_form.png"><img border="0" width="425" height="367" alt="cve-2013-2729_xfa_form" src="/eternal_files/uploads/04_cve-2013-2729_xfa_form_0.png" /></a></div>
<p>&nbsp; </p>
<div class="rtejustify">I had to fix it to see the important stream (object 1), encoded twice with <em>/FlateDecode</em>, but in its abbreviated format (<em>[/Fl /Fl]</em>). It was an XFA form, containing Javascript code and an image encoded in Base64. After extracting the stream to a file it had an unusual size, 85MB. Small, eh? ;) Besides containing four script elements, the culprit of this size was the encoded image, a BMP file with a repeating pattern, <em>&ldquo;\x00\x02\xff\x00&rdquo;</em>.</div>
<p>&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/05_cve-2013-2729_bmp_exploit.png"><img border="0" width="450" height="251" alt="cve-2013-2729_bmp_exploit" src="/eternal_files/uploads/05_cve-2013-2729_bmp_exploit_0.png" /></a></div>
<p>&nbsp; </p>
<div class="rtejustify">With this information and thanks to other characteristic strings found in this object (<em>&ldquo;0aa46f9b-2c50-42d4-ab0b-1a1015321da7&rdquo;, &ldquo;// Index of the overlapped string&rdquo;, &ldquo;// Base of the AcroRd32_dll&rdquo;</em>, etc) it was easy to spot the vulnerability exploited here. It turned out to be the <em>Adobe Reader BMP/RLE heap corruption vulnerability (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729">CVE-2013-2729</a>)</em> and <a href="https://github.com/feliam/CVE-2013-2729/blob/master/XFABMPExploit.py">the bad guys copied the PoC written by Felipe Manzano</a> (it was not the first time that the attackers reused code from <a href="https://twitter.com/feliam">Felipe</a>, for example, <a href="http://eternal-todo.com/blog/cve-2011-2462-exploit-analysis-peepdf">in the case of a CVE-2011-2462 exploit</a>). I&nbsp;have to be fair and mention that the bad guys made some extra effort to add more ROP offsets to cover 23 different Adobe Reader versions, from 9.3.0.3 to 11.0.0.1 ;) The vulnerability itself is an <a href="http://www.adobe.com/support/security/bulletins/apsb13-15.html">integer overflow patched one year ago</a> and explained really well by Felipe in these <a href="http://blog.binamuse.com/2013/05/readerbmprle.html">blog post</a> and <a href="http://www.binamuse.com/papers/XFABMPReport.pdf">whitepaper</a>, so nothing to add here.</div>
<p>
Knowing all the details about the exploit it was easy to make <a href="http://code.google.com/p/peepdf/"><em><strong>peepdf</strong></em></a> detect it (update it using the -u flag!):<br />
&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/06_cve-2013-2729_peepdf_detection.png"><img border="0" width="425" height="331" alt="cve-2013-2729_peepdf_detection" src="/eternal_files/uploads/06_cve-2013-2729_peepdf_detection_0.png" /></a></div>
<p>&nbsp; <br />
The shellcode was not hidden at all, it was located in plain sight within one of the script elements, so it was easy to decode with the <em>js_unescape</em> command. <br />
&nbsp;</p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/07_cve-2013-2729_shellcode.png"><img border="0" width="425" height="302" alt="cve-2013-2729_shellcode" src="/eternal_files/uploads/07_cve-2013-2729_shellcode_0.png" /></a></div>
<p>&nbsp; <br />
In both PDF files the shellcode tried to download an executable from a compromised web site:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">hxxp://dr-gottlob-institut.de/11.exe (91aa1168489a732ef7a70ceedc0c3bc9)<br />hxxp://filling-machine-india.com/images/1.exe (5ce7451cce4593698688bd526bfcec78)</span></pre><p>&nbsp; <br />
After the execution of the first binary the system was downloading:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">hxxp://pgalvaoteles.pt/111 (91d33fc439c64bd517f4f10a0a4574f1)<br />hxxp://files.karamellasa.gr/tvcs_russia/2.exe (e070ff758c2af2eee89f4a0f50077e30)</span></pre><p>&nbsp;</p>
<div class="rtejustify">The binary 91d33fc439c64bd517f4f10a0a4574f1 was dropping <a href="http://nakedsecurity.sophos.com/2014/02/27/notorious-gameover-malware-gets-itself-a-kernel-mode-rootkit/">ZeuS-P2P/Gameover with the Necurs rootkit</a>, but the size was unusually big (496,128 bytes). Inside the rootkit a PDB path related to GMER could be found (&ldquo;<em>e:\projects\cpp\gmer\driver\objfre_wxp_x86\i386\gmer.pdb</em>&rdquo;), probably used to disable the rootkit detection.</div>
<p>
After that, another loader was downloaded and executed:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">hxxp://www.shu-versicherungsvergleich.de/loader.exe</span></pre><p>&nbsp;</p>
<div class="rtejustify">From this point and after connecting to <em>pimplelotion.com</em> (95.163.104.88) to receive instructions a lot of binaries were executed. This is an example of the configuration received from this server:</div>
<p>&nbsp;</p>
<pre><span style="font-size: smaller;">&lt;?xml version=&quot;1.0&quot;?&gt;<br />&lt;config&gt;<br />&lt;interval&gt;10&lt;/interval&gt;<br />&lt;timeout&gt;5&lt;/timeout&gt;<br />&lt;urls&gt;hxxp://95.163.104.88&lt;/urls&gt;<br />&lt;country&gt;Netherlands&lt;/country&gt;<br />&lt;tasks&gt;<br />&lt;install id=&quot;1&quot; filetype=&quot;1&quot; name=&quot;soks&quot; autorun=&quot;1&quot; limits=&quot;0:16632&quot; filter=&quot;&quot; hash=&quot;2368a8c8b50900d57c0366049f755c05&quot;&gt;hxxp://segurgestion.es/1.bin&lt;/install&gt;<br />&lt;/tasks&gt;<br />&lt;/config&gt;</span></pre><p>&nbsp;<br />
And the list of URLs I had until I stop monitoring it:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">hxxp://adventiaingenieria.es/222<br />hxxp://segurgestion.es/1.bin<br />hxxp://golestangallery.com/333%283%29.exe<br />hxxp://intropitch.com/1.bin<br />hxxp://regleg.eu/images/777.exe</span></pre><p>&nbsp; </p>
<div class="rtejustify">So it was funny (and weird) to receive directly a PDF exploit via email and not the usual downloader like Andromeda/Upatre to drop ZeuS-P2P/Gameover (among others). Also, it was the first time I was seeing this vulnerability in the wild, because, as far as I know, <a href="http://contagiodump.blogspot.nl/2010/06/overview-of-exploit-packs-update.html">it is not used in any Exploit Kit either</a>. If I am wrong and you think this vuln is common be free to drop a comment ;)</div>
<p></p>
http://eternal-todo.com/blog/cve-2013-2729-exploit-zeusp2p-gameover#commentsBotnetsExploitsGameoverMalwarePDFpeepdfSpamVulnerabilitiesZeuS-P2PTue, 20 May 2014 21:51:20 +0000jesparza119 at http://eternal-todo.comAnalysis of a CVE-2013-3346/CVE-2013-5065 exploit with peepdfhttp://eternal-todo.com/blog/analysis-CVE-2013-3346-peepdf-troopers-blackhat
<div class="rtejustify">There are already some good blog posts talking about this exploit, but I think this is a really good example to show how <a href="http://peepdf.eternal-todo.com/"><em><strong>peepdf</strong></em></a> works and what you can learn next month if you attend the <a href="https://www.troopers.de/troopers14/troopers14-1-day-workshop-squeezing-exploit-kits-and-pdf-exploits/index.html">1day-workshop <em><strong>&ldquo;Squeezing Exploit Kits and PDF Exploits&rdquo;</strong></em></a> at <a href="https://www.troopers.de/troopers14/index.html">Troopers14</a> or the <a href="http://www.blackhat.com/asia-14/briefings.html#Esparza">2h-workshop <em><strong>&quot;PDF Attack: A Journey from the Exploit Kit to the Shellcode&quot;</strong></em></a> at <a href="https://www.blackhat.com/asia-14/schedule.html">Black Hat Asia (Singapore)</a>.&nbsp; The mentioned exploit was using the <a href="http://www.zerodayinitiative.com/advisories/ZDI-13-212/">Adobe Reader ToolButton Use-After-Free vulnerability</a> to execute code in the victim's machine and then the <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065">Windows privilege escalation 0day</a> to bypass the <a href="http://cansecwest.com/slides/2013/Adobe%20Sandbox.pdf">Adobe sandbox</a> and execute a new payload without restrictions.</div>
<p>
This is what we see when we open the PDF document (<a href="https://www.virustotal.com/es/file/91fa33cb02c4631c32b7ab9775dfbb5f77cfb4e50d4b97f30a895a2e3bc003ec/analysis/">6776bda19a3a8ed4c2870c34279dbaa9</a>) with <a href="https://twitter.com/peepdf"><em><strong>peepdf</strong></em></a>:<br />
&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/01-cve-2013-3346_info.png"><img border="0" width="450" height="363" alt="cve-2013-3346_info" src="/eternal_files/uploads/01-cve-2013-3346_info_0.png" /></a></div>
<p>&nbsp; </p>
<div class="rtejustify">There are three important things to highlight here: the size is quite big to have just 4 objects, there are some errors and one object contains Javascript code. The first two can indicate that the document is suspicious or just that it contains a big image and <em>peepdf</em> is not able to parse the document correctly. However, if we add the presence of Javascript code to the equation then the file looks even more suspicious.
<p>But, is this Javascript code really executed? We can see from which objects is referenced the object which contains the JS code (object 3):</p></div>
<p>&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/02-cve-2013-3346_object3_ref.png"><img border="0" width="400" height="364" alt="cve-2013-3346_object3" src="/eternal_files/uploads/02-cve-2013-3346_object3_ref_0.png" /></a></div>
<p>&nbsp; </p>
<div class="rtejustify">Object 3 is referenced from object 2, which is a Javascript action object having object 3 as the code to execute. Object 2 is referenced from object 1, which is the root object of the PDF document and the first to be read by the PDF readers. The <em>/OpenAction</em> element executes actions when the document is opened in the reader, so we can assure now that the Javascript code found in object 3 will be executed when the reader opens the file.
<p>After checking that the Javascript code is indeed executed we can look at the code itself, showing the content of object 3.</p></div>
<p>&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/03-cve-2013-3346_object3_jjencoded.png"><img border="0" width="425" height="307" alt="cve-2013-3346_object3_jjencoded" src="/eternal_files/uploads/03-cve-2013-3346_object3_jjencoded_0.png" /></a></div>
<p>&nbsp;</p>
<div class="rtejustify">As <a href="http://www.kahusecurity.com/2013/jjencode-script-leads-to-drive-by/">mentioned in several analyses</a>, this code is encoded using <a href="http://utf-8.jp/public/jjencode.html"><em><strong>jjencode</strong></em></a>, written by Yosuke Hasegawa. This encoding algorithm takes one character and encodes the whole Javascript code based on that character. You can distinguish this obfuscation easily if the string <em>&ldquo;=~[];&rdquo;</em> is present. In this case we see <em>&ldquo;Q=~[];&rdquo;</em>, meaning that the character used was the letter Q. Recently, <a href="https://twitter.com/crackinglandia">Nahuel Riva</a> ported the <a href="https://github.com/crackinglandia/python-jjdecoder/blob/master/jjdecode.py">decoding algorithm to Python</a> and then I modified it a bit to make it work better and integrate it in <em>peepdf</em>. So now you can use the command <em>&ldquo;js_jjdecode&rdquo;</em> to obtain the original Javascript code:</div>
<p>&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/04-cve-2013-3346_peepdf_jjdecode.png"><img border="0" width="425" height="304" alt="cve-2013-3346_peepdf_jjdecode" src="/eternal_files/uploads/04-cve-2013-3346_peepdf_jjdecode_0.png" /></a></div>
<p>&nbsp;</p>
<div class="rtejustify">From this point, we can use the command <em>&ldquo;js_analyse&rdquo;</em> to try to emulate the code and extract the escaped bytes automatically or just use the command <em>&ldquo;js_unescape&rdquo;</em> to unescape manually the shellcode and ROP chains, if necessary. I will show the result of executing <em>&ldquo;js_analyse&rdquo;</em>, storing the shellcode in a variable and showing the content later:</div>
<p>&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/05-cve-2013-3346_peepdf_shellcode.png"><img border="0" width="425" height="374" alt="cve-2013-3346_peepdf_shellcode" src="/eternal_files/uploads/05-cve-2013-3346_peepdf_shellcode_0.png" /></a></div>
<p>&nbsp;</p>
<div class="rtejustify">The shellcodes can be emulated with the command <em>&ldquo;sctest&rdquo;</em>, but in this case we have a truncated output because one of the functions used in the shellcode is not handled by libemu. But, as we can extract the shellcode and write it to a file, we can analyze it in the way we like more. For example, using <a href="http://sandsprite.com/blogs/index.php?uid=7&amp;pid=152"><em><strong>scdbg</strong></em></a> (<a href="http://www.securityartwork.es/2013/12/11/analisis-y-extraccion-de-pdf-exploitcve-2013-5065/">as shown in this article</a>), <a href="https://github.com/MarioVilas/shellcode_tools/blob/master/shellcode2exe.py"><em><strong>shellcode2exe</strong></em></a> to obtain an executable or just copying the bytes in a debugger/disassembler. This screenshot shows one part of the shellcode analyzed with IDA:</div>
<p>&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/06-cve-2013-3346_decode_algorithm.png"><img border="0" width="450" height="192" alt="cve-2013-3346_decode_algorithm" src="/eternal_files/uploads/06-cve-2013-3346_decode_algorithm_0.png" /></a></div>
<p>&nbsp;</p>
<div class="rtejustify">This shellcode tries to exploit the vulnerability CVE-2013-5065 to bypass the Adobe Reader sandbox and then decode and execute a binary. This binary is embedded within the PDF document, but where? As I mentioned before, the PDF document is quite big to store just 4 objects. We can see the physical structure of the document with the command <em>&ldquo;offsets&rdquo;</em>.</div>
<p>&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/07-cve-2013-3346_peepdf_offsets.png"><img border="0" width="425" height="356" alt="cve-2013-3346_peepdf_offsets" src="/eternal_files/uploads/07-cve-2013-3346_peepdf_offsets_0.png" /></a></div>
<p>&nbsp; </p>
<div class="rtejustify">There is a huge gap between object 10 and object 2, so it is worth taking a quick look at that. We can show the raw bytes of the PDF document with the command <em>&ldquo;bytes&rdquo;</em>:</div>
<p>&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/08-cve-2013-3346_peepdf_hidden_bytes.png"><img border="0" width="500" height="230" alt="cve-2013-3346_peepdf_hidden_bytes" src="/eternal_files/uploads/08-cve-2013-3346_peepdf_hidden_bytes_0.png" /></a></div>
<p>&nbsp; </p>
<div class="rtejustify">We have found a hidden &ldquo;object&rdquo; here. The tool is not showing this object because it is not an object really, due to the lack of a valid object header (<em>&ldquo;X Y obj&rdquo;</em>). Instead of that we have &ldquo;<em>obj 4 0</em>&rdquo;, so no PDF reader will read this object successfully, they will just ignore it. But it is not useless at all, because the shellcode will look for the bytes <em><strong>0xa0909f2</strong></em> within the PDF file content (see the IDA screenshot above) and start decoding from that point. <a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/12/cve-2013-33465065-technical-analysis.html">The FireEye team posted the algorithm to decode the content</a>, so no need to reinvent the wheel, we can extract all these bytes and then just use their Python script to obtain the executable:</div>
<p>&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/09-cve-2013-3346_decode_binary.png"><img border="0" width="450" height="253" alt="cve-2013-3346_decode_binary" src="/eternal_files/uploads/09-cve-2013-3346_decode_binary_0.png" /></a></div>
<p>&nbsp;</p>
<div class="rtejustify">The size of the decoded binary (105,476 bytes) does not match with the binary mentioned everywhere (<a href="https://www.virustotal.com/es/file/0b97c87126578113050d8e014e8fefeb33146eebc40e75c070882ec31ae26aab/analysis/">111ed2f02d8af54d0b982d8c9dd4932e</a>, 176,245 bytes). That's because here we have decoded just the binary, but the shellcode decodes from the <em><strong>0xa0909f2</strong></em> mark until the end of the file, encoding the rest of the PDF file too, which is not necessary at all.
<p>Again, if you like this type of analysis, a really good way to learn more about it is attending the workshops about <a href="https://www.troopers.de/troopers14/troopers14-1-day-workshop-squeezing-exploit-kits-and-pdf-exploits/index.html">how to analyze Exploit Kits and PDF exploits at Troopers in Heidelberg (17th of March)</a> and <a href="http://www.blackhat.com/asia-14/briefings.html#Esparza">at Black Hat Asia in Singapore (27-28th of March)</a>. It will be fun! See you there! ;)</p></div>
<p>&nbsp; <br />
&nbsp;<br />
&nbsp;<br />
References:<br />
<a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/12/cve-2013-33465065-technical-analysis.html"><br />
</a><a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/12/cve-2013-33465065-technical-analysis.html">CVE-2013-3346/5065 Technical Analysis</a><br />
<a href="http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html">The Kernel is calling a zero(day) pointer &ndash; CVE-2013-5065 &ndash; Ring Ring</a><br />
<a href="http://www.invincea.com/2013/12/e-k-i-a-adobe-reader-exploit-cve-2013-3346-kernel-ndproxy-sys-zero-day-eop/">E.K.I.A &ndash; ADOBE READER EXPLOIT (CVE-2013-3346) &amp; KERNEL NDPROXY.SYS ZERO-DAY EOP</a><br />
<a href="http://www.securityartwork.es/2013/12/11/analisis-y-extraccion-de-pdf-exploitcve-2013-5065/">An&aacute;lisis y extracci&oacute;n de PDF.Exploit/CVE-2013-5065</a><br />
<a href="http://www.secniu.com/blog/the-shellcode-analysis-used-in-the-latest-zero-day-attack-analysis-cve-2013-5065cve-2013-3346/">The Shellcode Used in the latest Zero Day Attack Analysis (CVE-2013-5065&amp;CVE-2013-3346)</a><br />
<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/windows-xpserver-2003-zero-day-payload-uses-multiple-anti-analysis-techniques/">Windows XP/Server 2003 Zero-Day Payload Uses Multiple Anti-Analysis Techniques</a></p>
http://eternal-todo.com/blog/analysis-CVE-2013-3346-peepdf-troopers-blackhat#commentsConferencesExploitsPDFpeepdfShellcodeToolsVulnerabilitiesWorkshopThu, 20 Feb 2014 19:48:17 +0000jesparza117 at http://eternal-todo.comAdvertisement network installing Android FakeAV (Mobile Defender)http://eternal-todo.com/blog/advertisement-network-mobile-defender-fakeav
<p>One month ago I was trying to find a streaming site to watch a Spanish soccer match and I found <em>futbolenvivoaldia.com</em>. It was a redirection to the famous site <em>Tarjeta Roja</em>, but the interesting thing was that when I browsed the site with my mobile phone I saw the typical Antivirus scanner saying that my device was infected. Also, an app called <em>&ldquo;androidav_free.APK&rdquo;</em> (<em>24f0a666a714e26c6c07ab407e37b112</em>) was trying to be downloaded to my device.<br />
&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/mobile_defender_scan.png" target="_blank"><img width="250" height="417" border="0" src="/eternal_files/uploads/mobile_defender_scan_0.png" alt="" /></a></div>
<p>&nbsp; <br />
The source of this fake page was one of the advertisement networks of the site <em>tarjetaroja.eu</em>, <em>Mobicow</em>. After some redirections and some tracking URLs this network was returning the following URL to the user's browser:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">hxxp://cleanupnowonline10.biz/?u=Y0vbAf0fW9lIhVAxPi2nZQo</span></pre><p>&nbsp; <br />
This page was loading Javascript code from here:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">hxxp://cleanupnowonline10.biz/js/wapc.js</span></pre><p>&nbsp; <br />
The <a href="http://pastebin.com/jFp3Y1wP">code was obfuscated</a> and this was the second stage of Javascript code:<br />
&nbsp;<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=i9hw2vSr" style="border:none;width:100%;height:300px;font-size:7px;"></iframe> &nbsp;<br />
Taking a look at the script content we can see that it contains all the functions necessary to show the&nbsp; fake infection page to the user. Also, we can see that the following URL was used to download the app:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">hxxp://cleanupnowonline10.biz/apk.php</span></pre><p>&nbsp;</p>
<div class="rtecenter"><a href="/eternal_files/uploads/mobile_defender_download.png" target="_blank"><img width="400" height="325" border="0" src="/eternal_files/uploads/mobile_defender_download_0.png" alt="" /></a></div>
<p>&nbsp; <br />
After installing the app we see <em>Mobile Defender</em>, a nice rogue app which will try to scare the users in order to make them buy the &ldquo;pro&rdquo; version. A lifetime license just 15$, what a bargain! ;p<br />
&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/mobile_defender_icon.png" target="_blank"><img width="250" height="379" border="0" src="/eternal_files/uploads/mobile_defender_icon_0.png" alt="Mobile Defender malware icon" /></a>&nbsp; ﻿<a href="/eternal_files/uploads/mobile_defender_av_results.png" target="_blank"><img width="250" height="419" border="0" src="/eternal_files/uploads/mobile_defender_av_results_0.png" alt="Mobile Defender malware av results" /></a></div>
<div class="rtecenter"><a href="/eternal_files/uploads/mobile_defender_license.png" target="_blank"><img width="250" height="420" border="0" src="/eternal_files/uploads/mobile_defender_license_0.png" alt="Mobile Defender activation license" /></a>&nbsp;&nbsp;<a href="/eternal_files/uploads/mobile_defender_cc_details.png" target="_blank"><img width="250" height="417" border="0" src="/eternal_files/uploads/mobile_defender_cc_details_0.png" alt="Mobile Defender credit card details" /></a></div>
<p>&nbsp;&nbsp; <br />
The problem is that the application is a bit too persuasive and makes difficult the use of the device by its owner due to the fake Antivirus results. We can say that it is the mobile version of a mix between a FakeAV and a <a href="http://eternal-todo.com/blog/ransomware-spanish-police">ransomware</a>. </p>
<p>After analyzing the files within the APK file we can see two interesting XML files. One of them is the description of the malware that the app is able to &ldquo;detect&rdquo; (<em>&ldquo;VirusesDescription.xml&rdquo;</em>). In this file we can find malware information in English and Russian, so we can assume that the origin is probably Russian.<br />
&nbsp; </p>
<pre><span style="font-size: smaller;"> &lt;item&gt;<br /> &lt;id&gt;1&lt;/id&gt;<br /> &lt;name&gt;Trojan-SMS.AndroidOS.FakePlayer&lt;/name&gt;<br /> &lt;type&gt;Trojan&lt;/type&gt;<br /> &lt;description&gt;Маскируется под медиаплеер и после установки рассылает смс по платным номерам&lt;/description&gt;<br /> &lt;description_en&gt;Disguises itself as a media player; once installed, sends messages to toll numbers.&lt;/description_en&gt;<br /> &lt;/item&gt;<br /> &lt;item&gt;<br /> &lt;id&gt;2&lt;/id&gt;<br /> &lt;name&gt;Geinimi&lt;/name&gt;<br /> &lt;type&gt;Spyware&lt;/type&gt;<br /> &lt;description&gt;Собирает информацию об устройстве и отправляет его на удаленный сервер&lt;/description&gt;<br /> &lt;description_en&gt;Collects information about the device and sends it to a remote server&lt;/description_en&gt; <br /> &lt;/item&gt;<br /> &lt;item&gt;<br /> &lt;id&gt;3&lt;/id&gt;<br /> &lt;name&gt;Android.Plankton&lt;/name&gt;<br /> &lt;type&gt;Spyware&lt;/type&gt;<br /> &lt;description&gt;Считывала данные устройства (ID устройства, версия SDK, сведения о привилегиях файла), передает эту информацию на удаленный сервер&lt;/description&gt;<br /> &lt;description_en&gt;Reads the device data (device ID, SDK version, file privilege data), passing the information to a remote server&lt;/description_en&gt;<br /> &lt;/item&gt;</span></pre><p>&nbsp; <br />
The second interesting XML file is <em>&ldquo;AffiliateSettings.xml&rdquo;</em>. It contains the URL visited when the app is executed (&ldquo;statsapi&rdquo;) and also the URL used to send the credit card details in order to pay for the &ldquo;pro&rdquo; version (<em>&quot;buysite&quot;</em>):<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">&lt;root&gt;<br /> &lt;affid&gt;&lt;![CDATA[84700]]&gt;&lt;/affid&gt;<br /> &lt;statsapi&gt;&lt;![CDATA[http://219.235.1.127/api/dom/no_respond/?group=amd&amp;ver=0001&amp;ts=5cebbc77472874c38b9531da2d83cb32478782c4&amp;token=fya14oiYU]]&gt;&lt;/statsapi&gt;<br /> &lt;buysite&gt;&lt;![CDATA[http://pdblprotect.com/p/?group=amd&amp;ver=0001&amp;ps=$devtype$]]&gt;&lt;/buysite&gt;<br />&lt;/root&gt;<a id="fck_paste_padding">﻿</a></span></pre><p>&nbsp; <br />
The app certificate was issued the 10th of August 2013 (<em>Aug 10 17:15:36 2013 GMT</em>) and the date when the package was created was the 15th of September 2013. The package name is <em>com.example.androiddefender2</em>. </p>
<p>As a curiosity and in order to legitimate this application I am showing the code used to analyze the device looking for malware:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;"> this.countViruses = SystemFunctions.generateRandomCountVirus(4, 9);<br /> if (this.countViruses &gt; 0)<br /> {<br /> this.indexesVr = SystemFunctions.generateVirusForIndex(this.countViruses);<br /> AppSingleton.getInstance().getDB(getApplicationContext());<br /> } </span></pre><p>&nbsp; <br />
Nice, eh? ;) Remember that paying is not an option, because you are not sure if the license is going to work or not. In this case, the app will continue annoying you even if you pay. You can proof this by entering the activation code, hardcoded in the app:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">public String activation_code = &quot;7152&quot;;</span></pre><p>&nbsp; <br />
It seems that the advertisements published in well-known sites were not the only way to distribute this malware, but also through SPAM campaigns:<br />
<a href="http:// http://www.fireeye.com/blog/technical/2013/09/android-malware.html"><br />
http://www.fireeye.com/blog/technical/2013/09/android-malware.html</a><br />
<a href="http://garwarner.blogspot.nl/2013/09/fake-av-malware-hits-android.html">http://garwarner.blogspot.nl/2013/09/fake-av-malware-hits-android.html</a><br />
&nbsp; <br />
You can see here <a href="http://pastebin.com/dKJwrKM9">additional information about the domains/IPs related to this malware</a>.</p>
http://eternal-todo.com/blog/advertisement-network-mobile-defender-fakeav#commentsAnalysisAndroidFraudMalwareMobileSpamMon, 28 Oct 2013 01:10:31 +0000jesparza115 at http://eternal-todo.comStyx Exploit Kit installing Simdahttp://eternal-todo.com/blog/styx-exploit-kit-simda
<p>I was already missing these SPAM emails with some advice about my sexual life: <em>&ldquo;Your woman wants you to be the best lover&rdquo;</em>, <em>&ldquo;The greatest technique to gratify your lady&rdquo;</em>, etc. I was getting upset about this, I needed some help...;p<br />
&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/mail_spam.png" target="_blank"><img width="400" height="268" border="0" src="/eternal_files/uploads/mail_spam_0.png" alt="Styx Spam email" /></a></div>
<p>&nbsp; <br />
So finally I am receiving a lot of these again. After visiting the link (<em>hxxp://goozix.com/its.html</em>) we can see a redirection to a page to buy Viagra and other &ldquo;medicines&rdquo;. But also there is some malicious Javascript code hidden there:<br />
&nbsp;<br />
<iframe style="border:none;width:100%;height:300px;font-size:7px;" src="http://pastebin.com/embed_iframe.php?i=fyryXgKb"></iframe> &nbsp;<br />
The result of the deobfuscation contains code to create a cookie (<em>&ldquo;visited_uq=55&rdquo;</em>) and also an iframe to load the URL <em>hxxp://gylaqim.com/exit.php</em>. This domain, created on the 21st of September, resolves each time to a different IP and has a history of more than 400 IPs. It has 6 authoritative DNS servers, <em>ns*.gylaqim.com</em>, also resolving to multiple IPs. </p>
<p>Depending on the server which is responding after visiting <em>hxxp://gylaqim.com/exit.php</em> we will be redirected to another initial page - with another redirection to a Viagra site plus malicious Javascript code -&nbsp; or to the actual exploit kit.</p>
<p>The initial pages seen until the moment are the following:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">hxxp://178.170.104.124/destruction.html<br />hxxp://178.170.104.124/seed.html<br />hxxp://actes-lyon.org/true.html<br />hxxp://aybabtu.ru/express.html<br />hxxp://brave.net.nz/ocean.html<br />hxxp://goozix.com/its.html<br />hxxp://moniwild.sakura.ne.jp/average.html<br />hxxp://rodinr.511.com1.ru/angle.html<br />hxxp://southeasterntrains-fail.com/somewhere.html<br />hxxp://toys-store.net/dawn.html<br />hxxp://toys-store.net/low.html<br />hxxp://webhydro.com/copy.html </span></pre><p>&nbsp; <br />
The URLs leading to the exploit kit have the following format:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">hxxp://www3.ad63gyomll2jo237-1.usa.cc/?war0he=mbblKWampZqWdPsrJqgkqbe22%2BWaGVmp5qpaJyYlIg%3D<br />hxxp://www3.ad63gyomll2jo237-1.usa.cc/?xsp2a4=njZlp5pmpZqWdPsrJqgkqbe22%2BWaGVmqKynapVnlIg%3D<br />hxxp://www3.ev2okgoe5o6.usa.cc/?9fq8=XdvanKKraGfjdvYcpxqX9rlpKLcY5%2BgmqjHbaZoa4o%3D<br />hxxp://www3.ev2okgoe5o6.usa.cc/?c37spa463=h6ig12WbWhni%2BKlrJibldmp23PJZGeoo5qWbmqXqFY%3D<br />hxxp://www3.x-8hlldq1w50.usa.cc/?nxemgrrrxh=ku3O0aSnqSsjuSgdZWgktjlnbSbYZ6tmKbJqqmkqow%3D<br />hxxp://www3.y-83m4wjpzlx6.usa.cc/?2ef0=VtrPlLZicWWhWuPdraegnqqm0aOWql1tZqaWrGirJA%3D</span></pre><p>&nbsp; <br />
Once you visit these links you are redirected again towards a <em>&ldquo;i.html&rdquo;</em> page:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">hxxp://www1.l5yhg95szx7k42.usa.cc/i.html<br />hxxp://www1.o-6vuo7jzwff5fv.usa.cc/i.html<br />hxxp://www1.qejt8wkvxre5a98.usa.cc/i.html<br />hxxp://www1.xjfvtg6bagx8.usa.cc/i.html<br />hxxp://www1.yi4f59df9s509dmg7.usa.cc/i.html</span></pre><p>&nbsp; <br />
This page contains the Javascript code to detect the plugins installed in the browser (<em>PluginDetect</em>), an iframe (<em>&ldquo;crezidf.html&rdquo;</em>) and more Javascript code to obtain the iframe content and decode it. This simple code makes the deobfuscation dependent on the iframe and, therefore, more difficult to analyze in an automatic way.<br />
&nbsp; <br />
<iframe style="border:none;width:100%;height:300px;font-size:7px;" src="http://pastebin.com/embed_iframe.php?i=FzCyksKn"></iframe> &nbsp; <br />
After the deobfuscation step:<br />
&nbsp; <br />
<iframe src="http://pastebin.com/embed_iframe.php?i=kiDpUViY" style="border:none;width:100%;height:300px;font-size:7px;"></iframe> &nbsp; <br />
We can see three different web pages depending on the Java version installed:</p>
<ul>
<li>The web page <em>&ldquo;jorg.html&rdquo;</em> downloads the file <em>&ldquo;dhmjtxOsBAhk.jar&rdquo;</em> (<a href="https://www.virustotal.com/file/532e88a562a39f2543ccff5176af773b61dc9c1df44c2a1fcc554e734936e27f/analysis/1380639766/"><strong>cba750fafa12d9f53dedac9101d54180</strong></a>), an exploit of the <em>&ldquo;Java Applet Field Bytecode Verifier&rdquo;</em> vulnerability (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1723"><strong>CVE-2012-1723</strong></a>).</li>
<li>When <em>&ldquo;jvvn.html&rdquo;</em> is loaded it tries to download the applet <em>&ldquo;YcWDhYnhO.jar&rdquo;</em> (<a href="https://www.virustotal.com/file/dddb7e36d86883092e05e125d1bcf1dfa68d7d96f0fcdc4f7fb9bc5e830ebd82/analysis/1380876176/"><strong>f2a978cce12906af5bb9d91112143a1a</strong></a>) to exploit a security problem in the JRE 2D subcomponent (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463"><strong>CVE-2013-2463</strong></a>).</li>
<li>Finally, when the user is redirected to <em>&ldquo;jply.html&rdquo;</em> the file <em>&ldquo;CxolvGRXM.jnlp&rdquo;</em> is downloaded to <a href="http://immunityproducts.blogspot.nl/2013/04/yet-another-java-security-warning-bypass.html"><strong>bypass the security warning window</strong></a> and the applet <em>&ldquo;zApWqe.jar&rdquo;</em> (<a href="https://www.virustotal.com/file/61d9f708820d3a3e00afdda2699f331a9f7cd3be247a1821e1e790ded619f589/analysis/1380733590/"><strong>5783988184709219c949fba03dead46e</strong></a>) is executed to try to exploit the <em>&ldquo;Java Applet ProviderSkeleton&rdquo;</em> vulnerability (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460"><strong>CVE-2013-2460</strong></a>).</li>
</ul>
<p>
In the case that there is no Java plugin installed or that the Java version installed does not match with the specified in the code then the <em>&ldquo;pdfx.html&rdquo;</em> will be loaded. If the URLs mentioned above could give us an idea about the exploit kit used, after seeing this name, <em>&ldquo;pdfx.html&ldquo;</em>, we have no doubts that we are dealing with <a href="http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html">Styx Exploit Kit</a>.</p>
<p>Similarly to <em>&ldquo;i.html&rdquo;</em>, <em>&ldquo;pdfx.html&rdquo;</em> also loads an iframe (<em>&ldquo;mbahsldw.html&rdquo;</em>) and some Javascript code to decode the iframe content. The second stage of Javascript code was this:<br />
&nbsp; <br />
<iframe style="border:none;width:100%;height:300px;font-size:7px;" src="http://pastebin.com/embed_iframe.php?i=j9iCrYpu"></iframe> &nbsp; <br />
Here we can see that the <em>&ldquo;fnts.html&rdquo;</em> page will be loaded in the case that the browser is Internet Explorer and the system is not a 64-bit platform. Then this page also downloads the file <em>&ldquo;bXwOlglw.eot&rdquo;</em> (51f2ae12128ee8115f65e2657e6afddc) to exploit the <em>&ldquo;TrueType Font Parsing&rdquo;</em> vulnerability (<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3402">CVE-2011-3402</a>). Besides of this, depending on the Adobe Reader version installed the file <em>&ldquo;KummvICu.pdf&rdquo;</em> (2a4e488c0ef620482ae93778249b4447) will try to exploit the TIFF vulnerability (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188">CVE-2010-0188</a>) or we will be redirected to <em>&ldquo;retn.html&rdquo;</em>. This page was returning a 404 code at the moment of the analysis. Apparently, a real 404 code ;)<br />
&nbsp; </p>
<div class="rtecenter"><a href="/eternal_files/uploads/vtcheck.png" target="_blank"><img width="450" height="224" border="0" src="/eternal_files/uploads/vtcheck_0.png" alt="Styx exploits" /></a></div>
<p>&nbsp; <br />
If any of the exploits succeed then a big binary (1,1MB) with name <em>&quot;scandsk.exe&quot;</em> (6ee26e3783a45aa22b8541b681bc5643) is downloaded from a URL similar to the following and executed.<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">hxxp://www2.lmm3jn8un9e0t3.mohamed.me/?6ksgfcay=Ws7gy6PI2dMOxo5%2BfWd7hdaahcZtaeqpydpVnL0Jrnq4u5e5qjn8%2BwmozWhQ%3D%3D&amp;h=11</span></pre><p>&nbsp;</p>
<div class="rtecenter"><a href="/eternal_files/uploads/exe_download.png" target="_blank"><img width="425" height="337" border="0" src="/eternal_files/uploads/exe_download_0.png" alt="Downloading Simda binary" /></a></div>
<p>&nbsp;</p>
<p>
After being executed something was not working properly, because the created process was using 100% of the CPU:<br />
&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/process_100_cpu.png"><img width="399" height="180" border="0" alt="Simda with 100% CPU usage" src="/eternal_files/uploads/process_100_cpu.png" /></a></div>
<p>&nbsp; <br />
Then it was time to take a look at the memory of the process with Olly. A suspicious section with executing permissions was easily spotted, containing some binary files. Taking a look at one of them with IDA we could see a lot of strings and the reason of this huge CPU usage: an infinite loop due to the detection of some process in execution.<br />
&nbsp; </p>
<div class="rtecenter"><a target="_blank" href="/eternal_files/uploads/check1_en.png"><img width="450" height="338" border="0" alt="Simda anti-analysis checks" src="/eternal_files/uploads/check1_en_0.png" /></a></div>
<p>&nbsp; <br />
As you can see, this function adds 100 &quot;points&quot; each time a process in execution matches with the blacklisted processes and 10 &quot;points&quot; when one of the blacklisted registry keys exist in the system. If the final score is greater than 20 then it goes to an endless loop. These are the blacklisted processes:<br />
&nbsp; </p>
<pre><span style="font-size:smaller;">cv.exe<br />irise.exe<br />IrisSvc.exe<br />wireshark.exe<br />dumpcap.exe<br />ZxSniffer.exe<br />Aircrack-ngGui.exe<br />observer.exe<br />tcpdump.exe<br />WinDump.exe<br />wspass.exe<br />Regshot.exe<br />ollydbg.exe<br />PEBrowseDbg.exe<br />windbg.exe<br />DrvLoader.exe<br />SymRecv.exe<br />Syser.exe<br />apis32.exe<br />VBoxService.exe<br />VBoxTray.exe<br />SbieSvc.exe<br />SbieCtrl.exe<br />SandboxieRpcSs.exe<br />SandboxieDcomLaunch.exe<br />SUPERAntiSpyware.exe<br />ERUNT.exe<br />ERDNT.exe<br />EtherD.exe<br />Sniffer.exe<br />CamtasiaStudio.exe<br />CamRecorder.exe</span></pre><p>&nbsp; <br />
And the blacklisted registry keys:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">Software\\CommView<br />SYSTEM\\CurrentControlSet\\Services\\IRIS5<br />Software\\eEye Digital Security<br />Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Wireshark<br />Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\wireshark.exe<br />Software\\ZxSniffer<br />Software\\Cygwin<br />Software\\Cygwin<br />Software\\B Labs\\Bopup ObserverAppEvents\\Schemes\\Apps\\Bopup Observer<br />Software\\B Labs\\Bopup Observer <br />Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Win Sniffer_is1<br />Software\\Win Sniffer<br />Software\\Classes\\PEBrowseDotNETProfiler.DotNETProfiler <br />Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Start Menu2\\Programs\\Debugging Tools for Windows (x86)<br />SYSTEM\\CurrentControlSet\\Services\\SDbgMsg <br />Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Start Menu2\\Programs\\APIS32<br />Software\\Syser Soft <br />Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\APIS32<br />Software\\APIS32<br />Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Oracle VM VirtualBox Guest Additions<br />SYSTEM\\CurrentControlSet\\Services\\VBoxGuest<br />Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Sandboxie<br />SYSTEM\\CurrentControlSet\\Services\\SbieDrv <br />Software\\Classes\\Folder\\shell\\sandbox <br />Software\\Classes\\*\\shell\\sandbox<br />Software\\SUPERAntiSpyware.com<br />Software\\Classes\\SUPERAntiSpywareContextMenuExt.SASCon.1<br />Software\\SUPERAntiSpyware.com<br />Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ERUNT_is1</span> </pre><p>&nbsp; <br />
In the same anti-analysis function they are also checking if the process is being debugged, if Sandboxie is executing, etc. In the case that the file <em>&ldquo;c:\\cgvi5r6i\\vgdgfd.72g&rdquo;</em> exists and that it contains certain bytes then the other checks are not necessary. With this information we can already say that the binary is a version of <a href="http://about-threats.trendmicro.com/us/malware/BKDR_SIMDA.SU">Simda</a>.</p>
<p>This sample, among other things, is able to send some information about the system to its control panels: system language, operating system, <em>ProductId</em>, etc.<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">wv=%s&amp;uid=%d&amp;lng=%s&amp;mid=%s&amp;res=%s&amp;v=%08X</span></pre><p>&nbsp; <br />
Depending on the request type this information is included or not within the following parameters:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">controller=hash&amp;mid=<br />controller=sign&amp;data=%s&amp;mid=%s</span></pre><p>&nbsp; <br />
Then these parameters are decoded and added as the value of a two-character parameter:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">&quot;?%c%c=%s&quot;</span></pre><p>&nbsp; <br />
Both of these are HTTP GET requests, using a hostname with the format <em>&quot;update%s.%s.com&quot;</em> and the following User-Agent:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre</span></pre><p>&nbsp; <br />
The hardcoded IPs where these requests are sent depend on the request type too:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">212.117.176.187 (<em>hash</em>)<br />79.133.196.94 (<em>sign</em>)<br />69.57.173.222 (<em>sign</em>)</span></pre><p>&nbsp; <br />
Another request type uses more than two characters as the parameter name but it also encodes the system information as the value of this parameter. In this case the hostname has a different format (<em>report.93aaaaaa9ku7m3g793k.com</em> ,for instance) and the User-Agent is different too:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) </span></pre><p>&nbsp; <br />
Other parameters seen in the binary content are the following:<br />
&nbsp; </p>
<pre><span style="font-size: smaller;">/?abbr=RTK&amp;setupType=update&amp;uid=%d&amp;ttl=%s&amp;controller=microinstaller&amp;pid=3</span></pre><p>&nbsp; <br />
Among a lot of other functionalities, this malware is capable of modifying the hosts file to redirect the traffic of the infected machine, modifying the search engine of Internet Explorer and Firefox to <em>findgala.com</em>, modifying the desktop &ldquo;My Computer&rdquo; shortcut, disabling the User Account Control (UAC), etc, etc. Some sources say that <a href="http://blogs.technet.com/b/mmpc/archive/2013/09/10/msrt-september-2013-win32-simda.aspx">it can also act as a banking malware</a>, but I have not seen any proof of that in this sample. If you want to read more abut this malware family take a look at the following links:</p>
<p><a href="http://malwaremustdie.blogspot.nl/2013/02/hulk-and-malware-crusaders-vs-fakeav.html">http://malwaremustdie.blogspot.nl/2013/02/hulk-and-malware-crusaders-vs-fakeav.html</a><br />
<a href="http://pastebin.com/zZ9nKEVP">http://pastebin.com/zZ9nKEVP</a><br />
<a href="http://www.virusradar.com/Win32_Simda.B/description">http://www.virusradar.com/Win32_Simda.B/description</a><br />
<a href="http://infosecdailydigest.com/2013/08/27/styxkein-exploit-kit-drive-by-encounter-at-www-astrostyle-com/">http://infosecdailydigest.com/2013/08/27/styxkein-exploit-kit-drive-by-encounter-at-www-astrostyle-com/</a></p>
<p>&nbsp; <br />
<a href="http://pastebin.com/A9gi0thM">List of related domains, IPs and some Whois info</a><br />
<br type="_moz" /></p>
http://eternal-todo.com/blog/styx-exploit-kit-simda#commentsAnalysisExploit kitsExploitsMalwareSimdaSpamStyxVulnerabilitiesMon, 07 Oct 2013 22:11:46 +0000jesparza113 at http://eternal-todo.comControl of friends and followers on Twitter (API 1.1 update)http://eternal-todo.com/blog/control-friends-followers-twitter-api-1.1-update
<p>More than 2 years ago (that's a lot of time!) <a href="http://eternal-todo.com/blog/control-friends-followers-twitter">I published a simple Python script to monitor a Twitter</a> account using <a href="https://github.com/tweepy/tweepy">Tweepy</a>: basic account information, inactive friends and new/lost followers. But this script stopped working some time ago because <a href="https://dev.twitter.com/blog/current-status-api-v1.1">Twitter updated its API to version 1.1</a>. This update made obligatory using authentication to make any request and <a href="https://dev.twitter.com/docs/rate-limiting/1.1/limits">they also modified the request limits</a>. Before the update, there was a limit of 150/350 requests per hour, depending on whether the request was authenticated or not, but now these limits are per request type and per 15 minutes. For example, to get a list of friends you can make a maximum of 15 requests per quarter of hour, but you can make other 15 to get a list of followers. If someone is late (like me) with the new API <a href="https://dev.twitter.com/docs/api/1.1/overview">here you can find the full changelog</a>.</p>
<p>Before starting to modify the code I had to update the <a href="https://github.com/tweepy/tweepy">Tweepy</a> version too (2.1). The best and easiest way is using <a href="https://pypi.python.org/pypi/pip"><em><strong>pip</strong></em></a>:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">$ pip install tweepy</span></pre><p>&nbsp;<br />
Now time to take a look at the code. The first important change was <a href="https://dev.twitter.com/docs/auth">the authentication issue</a>. So it is necessary creating a new application in our developer profile <a href="https://dev.twitter.com/apps/">https://dev.twitter.com/apps/</a> to <a href="http://www.webdevdoor.com/php/authenticating-twitter-feed-timeline-oauth/">obtain the &ldquo;<em><strong>Consumer key</strong></em>&rdquo; and &ldquo;<em><strong>Consumer secret</strong></em>&rdquo; and the access token credentials, &ldquo;<em><strong>Access token</strong></em>&rdquo; and &ldquo;<em><strong>Access token secret</strong></em>&rdquo;</a> (follow the Step 1 in the link). Instead of a user authentication it is possible to perform an <a href="https://dev.twitter.com/docs/auth/application-only-auth">application-only authentication</a>. However, there are more documentation and examples for user authentication, so no reason to complicate it more ;p</p>
<p>Due to the modification in the request limits we have a nice error if we execute the old code:<br />
&nbsp;</p>
<pre><span style="font-size: smaller;">TweepError([{'message': 'Rate limit exceeded', 'code': 88}],)</span></pre><p>&nbsp;<br />
With API 1.0 you were able to make a maximum of 150 requests per hour, and with each request it was possible to obtain a list of 100 friends/followers. Now we have a limit of 15 requests per 15 minutes, so with the same code we get a lower amount of users. However, the new API update also added <a href="https://dev.twitter.com/docs/api/1.1">some new request types</a>, like the possibility to get a list of up to 5,000 <a href="https://dev.twitter.com/docs/api/1.1/get/followers/ids">follower</a>/<a href="https://dev.twitter.com/docs/api/1.1/get/friends/ids">friend</a> ids per request! So the new implementation of the script takes these ids, compares them with the local file and then makes some <a href="https://dev.twitter.com/docs/api/1.1/get/users/lookup">bulk requests to get the users' information</a>, but just in the case of new followers, saving requests. </p>
<p>After these modifications we can use the script as before and without errors (if we don't reach the limits, of course). The annoying thing of this is that we have to create a Twitter application and copy the credentials within the script, or use an alternative option, like getting these values from environment variables. <a href="http://eternal-todo.com/var/scripts/twitcheck">You can download the new code from here</a>.</p>
http://eternal-todo.com/blog/control-friends-followers-twitter-api-1.1-update#commentsPythonScriptsSocial NetworkingTwitterSun, 08 Sep 2013 12:56:17 +0000jesparza111 at http://eternal-todo.com